Creating a new Active Directory forest and domain on Windows Server 2019 recently, I found the domain administrator could not open Network Connections. This happened when right-clicking on the Network icon on the Task Bar to open Network & Internet Settings, selecting Ethernet, and clicking on “Change adapter options”.
This only occurs when trying to open Network Connections through Windows Settings. There are no problems opening Network Connections through Control Panel or directly by running ncpa.cpl. And it only affects the domain administrator. Other users do not experience this problem. But the domain administrator has this problem on any computer in the domain.
It appears that in creating Windows Settings as the replacement for Control Panel, Microsoft didn’t correctly implement opening Network Connections for the domain administrator. This issue is with the security policy “User Account Control: Admin Approval Mode for the Built-in Administrator account”. When enabled, the local administrator account functions similar to a regular user account. Any operation that requires privilege elevation will prompt for approval of the operation. When disabled, which is the default, the administrator runs all operations with full administrative privilege and is never prompted.
The setting is found in Local Policy → Security Options and is not defined when Windows is installed.
When set to Enabled, then the domain administrator can open Network Connections through Windows Settings. But this means that the administrator will be prompted every time a privilege elevation is needed. The irony is that opening Network Connections has never needed privilege elevation for a user that is member of Administrators local group. (Note that Domain Admins is added as a member of Administrators on all member computers.)
Enabling Admin Approval Mode for the Built-in Administrator will fix opening Network Connections through Windows Settings, but since this would have to be done on every domain computer, it’s should be done through a group policy. When done only for the domain controllers, it impacts only the domain administrator account. When done domain-wide, it impacts both the domain administrator and the local administrator on every domain computer. Therefore, it is probably best this is only done in the Default Domain Controllers Policy. Since this is easily worked around by using Control Panel or directly running ncpa.cpl, leaving it undefined in the Default Domain Policy will ensure it doesn’t interfere with the local administrator on the domain computers.
Leave a Reply