User Account Control (UAC) and Server Core

A slight detour from the Windows Server 2008 R2 posts this time around to cover a topic that has been coming up recently: UAC on Server Core.

UAC is not available in Server Core, since it is a command line only interface, doesn’t have IE, or support for user applications. In addition, to use UAC with the command prompt you need to have the Explorer Shell so that you can click Start, right click on Command Prompt, and select run as administrator, which obviously isn’t possible on Server Core.

If the registry entry that controls UAC is modified on a Server Core installation, it will make doing anything at the command prompt very difficult. Running most anything will result in access denied or other related errors, depending on how UAC aware what you are trying to run is. A quick way to determine if UAC is what is causing the error is to run regedit. If UAC is enable you will receive an error dialog that says “The specified service does not exist as an installed service.” and clicking Ok will return “Access is denied.” on the command line.

To resolve this you can:

· If you are using Group Policy to configure your servers and put a server running the Server Core installation into an OU that enables UAC, move the server to another OU that doesn’t enforce UAC and let Group Policy change the setting.

· If UAC was manually configured, disable UAC by remotely modifying the registry

· Logon using the built-in administrator to perform your admin task or disable UAC.

To disable UAC on Server Core you can use reg.exe or regedit.exe to set the EnableLUA value under the following Registry path to 0 and reboot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

More on Windows Server 2008 R2 next time.

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://www.ditii.com/2009/01/20/user-account-control-uac-and-server-core/

  • Anonymous
    June 08, 2010
    It would probably be a good idea for Server Core to ignore UAC being set from group policy.

  • Anonymous
    August 27, 2010
    The comment has been removed

  • Anonymous
    March 06, 2011
    I agree with Joshua above!  If the GUI can't support it, why is Server Core even looking and obeying UAC registry entries / group policy!?  Bizarre...

  • Anonymous
    March 06, 2011
    Hang on - Looks like this article is incorrect.  According to this article, blogs.msdn.com/.../disabling-user-account-control-uac-on-windows-server.aspx, UAC is always enabled on 2008 R2.  However, it was possible to enable it on 2008.

  • Anonymous
    March 08, 2012
    "Hang on - Looks like this article is incorrect.  According to this article, blogs.msdn.com/.../disabling-user-account-control-uac-on-windows-server.aspx, UAC is always enabled on 2008 R2.  However, it was possible to enable it on 2008." You missed the part at the very end that said: "Note also that UAC is always disabled on Windows Server 2008 R2 Server Core and should always be kept disabled on Windows Server 2008 Server Core. A hotfix is available for Windows Server 2008 Server Core (KB 969371) to prevent UAC from being enabled accidentally."

  • Anonymous
    June 02, 2015
    please do not send me messages i am not at all interested in working with uber.

  • Anonymous
    April 12, 2016
    Thanks for the information above you provided
    http://indguru.com