Windows Domain Admins account cannot run some programs

Question

I have created some domain users in ADUC and added them to the "Domain Admins" group.

On a domain server when I try run a batch file that restart some services, with "net stop ", "net start " and "taskkill ", I get the following error message:

System error 5 has occured.
Access id denied.

And if I try to run the batch file with "Run as administrator" I get the following error message: "This file does not have a program associated with it for performing this action..."

It only works if I open an new cmd as administrator and rund the batch script from there.

What rights do my domain admins account lack?

score 0 · Answer 1 · answered Dec 10 '12 at 13:56

This doesn't look like a particular rights issue, but one that is caused by design by the use of UAC (User Account Control). All accounts except the default "Administrator" account will only have normal user privileges unless the program is elevated (using as you mentioned the "Run as administrator" option).

As for the "...does not have a program associated..." error this sounds like a registry issue based on looking at this article, though that refers to .exe files. On my install, there is **no* key for .bat or .cmd in the registry path mentioned, which is:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

It may be worth checking if there is on your install which could be interfering.

score 0 · Answer 2 · answered Dec 13 '12 at 09:29

0

I have solved it by disabling UAC(User Account Control) on the servers. But I also know it is not a "Best Practice" solution, if we have security in mind.

Maybe the best is to use GPO to disable UAC for the administrators on the servers.

answered Dec 13 '12 at 09:29

monmon

11
1
2

Windows Domain Admins account cannot run some programs

2 Answers2