KnowledgeBase: Incorrect results when you run AD Windows PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller

Windows Server 2008 R2 and Windows Server 2012-based Domain Controllers (as well as Windows 7 and Windows 8 management workstations with the Remote Server Administration Tools installed) offer the built-in ability to manage Active Directory through PowerShell. Windows 7 and Windows Server 2008 R2 offer 76 Active Directory Management PowerShell Cmdlets and 15 Active Directory Provider PowerShell Cmdlets. Windows 8 and Windows Server 2012 offer 68 additional PowerShell Cmdlets.

Last month, Microsoft fixed an issue in these PowerShell Cmdlets in combination with User Account Control (UAC), where you would get incorrect results when you run Active Directory PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller with UAC enabled.

 

The situation

Microsoft has identified two scenarios where you would get incorrect results:

Situation 1

In the first situation, you would still get Access Denied messages, when you log on to a Domain Controller with UAC enabled and you start (the Active Directory Module for) Windows PowerShell elevated as an administrator (not the built-in administrator account) to open another PowerShell window, after you’ve previously started it directly without promoting it by using administrator privilege.

The screenshot below shows this situation:

Access Denied Errors for both the elevated and non-elevated Windows PowerShell window (click for larger screenshot)

Situation 2

In the second situation, you first start (the Active Directory Module for) Windows PowerShell elevated as an administrator and then perform a similar action in a second instance of (the Active Directory Module for) Windows PowerShell that is not elevated. In this case the action would succeed.

 

The resolution

Workarounds

Several workarounds are available to address the specific issues:

  • Do not log on interactively to Domain Controllers to perform actions in Active Directory. Instead use the Remote Server Administration Tools.
  • Do not log on interactively to Domain Controllers but instead use Windows PowerShell from a (Windows 7 or Windows 8-based) management workstation or (Windows Server 2008 R2 or Windows Server 2012-based) management server.

Also, the built-in Administrator account does not encounter the situations above, since User Account Control (UAC) does not apply to the built-in Administrator account (the account with RID 500). All programs will be run with all privileges. While I strongly condemn the interactive use of this account, using it is a workaround for the specific situations mentioned above.

Hotfix

Hotfixes are available to address this issue:

For Windows Server 2012-based Domain Controllers, install the May 2013 update rollup, as described in Microsoft KnowledgeBase article 2836988. You must restart the Domain Controller(s) after you apply this update.

For Windows Server 2008 R2 and Windows Server 2008 R2 with Service Pack 1-based Domain Controllers, install update 2806748. You must restart the Domain Controller(s) after you apply this update.

Related KnowledgeBase articles

2806748 Incorrect results when you run AD Windows PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller
2836988 Windows 8 and Windows Server 2012 update rollup: May 2013

Related blogposts

New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets

Further reading

Use Windows PowerShell Commands in Windows Server 2012
Active Directory Cmdlets in Windows PowerShell
Introduction to Active Directory Replication and Topology Management Using PowerShell
Advanced Active Directory Replication and Topology Management Using PowerShell
Windows Server 2012 AD DS Administration Cmdlets in Windows PowerShell
PowerShell oneliners to get information about your Active Directory infrastructure

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.