Windows Server 2012 R2: Resolving Permission Discrepancies Between Local Admin User and Built-in Administrator Account


2 views

When working with Windows Server 2012 R2 without Active Directory, many administrators encounter a puzzling scenario: a user account added to the local Administrators group doesn't inherit the same privileges as the built-in Administrator account. Let's examine this behavior through two concrete examples:

// Example 1: File system permissions issue
$file = "C:\\Windows\\System32\\drivers\\etc\\hosts"
$acl = Get-Acl $file
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\\User","FullControl","Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path $file -AclObject $acl  // Fails for admin user, works for Administrator

The Windows security model implements several protection layers that create this disparity:

  • User Account Control (UAC): Local admin accounts operate with filtered tokens by default
  • Protected Administrator Account: The built-in Administrator has special exemptions
  • Security Component: Certain operations require SYSTEM-level privileges

To align the permissions of your admin user with the built-in Administrator account:

# Solution 1: Disable UAC filtering for administrators
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 
-Name FilterAdministratorToken -Value 0 -PropertyType DWORD -Force

# Solution 2: Enable the built-in Administrator account (if acceptable)
net user Administrator /active:yes

# Solution 3: Modify IE ESC settings specifically
$key = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $key -Name IsInstalled -Value 0

For SYSTEM-owned files where your admin user needs full control:

# Take ownership first (requires elevation even for administrators)
takeown /f "C:\path\to\file" /a

# Then grant full control
icacls "C:\path\to\file" /grant Administrators:F /t /c

Some settings like IE Enhanced Security Configuration have additional registry controls:

# Check current IE ESC settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"

# Disable for all users
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name IsInstalled -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name IsInstalled -Value 0

When working with Windows Server 2012 R2's local accounts, I discovered an interesting behavior: users added to the Administrators group don't automatically receive identical privileges to the built-in Administrator account. This manifests in two specific scenarios:

// Scenario 1: File system permissions
TakeOwnership /F "C:\Protected\SystemFile.log" /A
// Works for Administrator, fails for Administrators group members

// Scenario 2: IE Enhanced Security
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name IsInstalled
// Returns 0 for Administrator, 1 for group members

The built-in Administrator account has some special characteristics in Windows:

  • Bypasses User Account Control (UAC) prompts by default
  • Has implicit "Take Ownership" privilege
  • Ignores some Group Policy restrictions

To make an Administrators group member fully equivalent, we need to explicitly grant these rights:

# PowerShell script to enable full administrative rights
$user = "LocalAdminUser"

# Grant SeTakeOwnershipPrivilege
secedit /export /cfg $env:temp\secpol.cfg
(Get-Content $env:temp\secpol.cfg) -replace "SeTakeOwnershipPrivilege = ", "SeTakeOwnershipPrivilege = $user" | Out-File $env:temp\secpol.cfg
secedit /configure /db $env:temp\secedit.sdb /cfg $env:temp\secpol.cfg

# Disable IE ESC for the specific user
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0 -Force

Some settings like IE Enhanced Security actually check both group membership and explicit user permissions. The following registry keys control this behavior:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000
"Version"="1,0,0,0"

Rather than trying to perfectly mimic the built-in Administrator, consider these alternatives:

  1. Use the built-in Administrator for SYSTEM-level tasks
  2. Create distinct roles using Local Security Policy
  3. Implement Just-In-Time administration through PAM solutions

The built-in Administrator account exists precisely for these special scenarios where complete system control is needed without security restrictions.