Windows Server 2008 R2 and Windows Server 2012-based Domain Controllers (as well as Windows 7 and Windows 8 management workstations with the Remote Server Administration Tools installed) offer the built-in ability to manage Active Directory through PowerShell. Windows 7 and Windows Server 2008 R2 offer 76 Active Directory Management PowerShell Cmdlets and 15 Active Directory Provider PowerShell Cmdlets. Windows 8 and Windows Server 2012 offer 68 additional PowerShell Cmdlets.
Last month, Microsoft fixed an issue in these PowerShell Cmdlets in combination with User Account Control (UAC), where you would get incorrect results when you run Active Directory PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller with UAC enabled.
The situation
Microsoft has identified two scenarios where you would get incorrect results:
Situation 1
In the first situation, you would still get Access Denied messages, when you log on to a Domain Controller with UAC enabled and you start (the Active Directory Module for) Windows PowerShell elevated as an administrator (not the built-in administrator account) to open another PowerShell window, after you’ve previously started it directly without promoting it by using administrator privilege.
The screenshot below shows this situation:
Situation 2
In the second situation, you first start (the Active Directory Module for) Windows PowerShell elevated as an administrator and then perform a similar action in a second instance of (the Active Directory Module for) Windows PowerShell that is not elevated. In this case the action would succeed.
The resolution
Workarounds
Several workarounds are available to address the specific issues:
- Do not log on interactively to Domain Controllers to perform actions in Active Directory. Instead use the Remote Server Administration Tools.
- Do not log on interactively to Domain Controllers but instead use Windows PowerShell from a (Windows 7 or Windows 8-based) management workstation or (Windows Server 2008 R2 or Windows Server 2012-based) management server.
Also, the built-in Administrator account does not encounter the situations above, since User Account Control (UAC) does not apply to the built-in Administrator account (the account with RID 500). All programs will be run with all privileges. While I strongly condemn the interactive use of this account, using it is a workaround for the specific situations mentioned above.
Hotfix
Hotfixes are available to address this issue:
For Windows Server 2012-based Domain Controllers, install the May 2013 update rollup, as described in Microsoft KnowledgeBase article 2836988. You must restart the Domain Controller(s) after you apply this update.
For Windows Server 2008 R2 and Windows Server 2008 R2 with Service Pack 1-based Domain Controllers, install update 2806748. You must restart the Domain Controller(s) after you apply this update.
Related KnowledgeBase articles
2806748 Incorrect results when you run AD Windows PowerShell Cmdlets on a Windows Server 2012 or Windows Server 2008 R2-based Domain Controller
2836988 Windows 8 and Windows Server 2012 update rollup: May 2013
Related blogposts
New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets
Further reading
Use Windows PowerShell Commands in Windows Server 2012
Active Directory Cmdlets in Windows PowerShell
Introduction to Active Directory Replication and Topology Management Using PowerShell
Advanced Active Directory Replication and Topology Management Using PowerShell
Windows Server 2012 AD DS Administration Cmdlets in Windows PowerShell
PowerShell oneliners to get information about your Active Directory infrastructure
Login