When administering Windows servers, I prefer not to use the built-in Administrator account especially when working through Remote Desktop, So I always copy the account to a new account, e.g. MyAdmin, and use that for server admin. That worked great on Server 2003, but in Server 2008 R2, I was encountering all kinds of permissions issues.
Some of the issues I had when logged on as MyAdmin:
- Cannot take ownership of a file
- Cannot see some folders in Windows Explorer
- Cannot create files at root of drive
- Clicking on icons pinned to taskbar displays an “Unknown Publisher” security warning even for Microsoft programs like Internet Explorer
The First Administrator is Special
A Microsoft Partner Support representative pointed out that the first administrator created under Server 2008 and above has different permissions from subsequent administrators. In particular, Admin Approval Mode (AAM) is disabled for this account. This TechNet article explains Admin Approval Mode and who gets it by default.
Disable Admin Approval Mode
In the User Account Control Step-by-Step Guide, under Scenario 3, are instructions on how to disable Admin Approval Mode. (Skip the instructions on disabling User Account Control altogether.) To disable AAM, open Local Security Policy and set Local Policies > Security Options > User Account Control: Run all administrators in Admin Approval Mode to Disabled.
Unknown Publisher
The one remaining issue was the Unknown Publisher warnings on the taskbar. This forum post pointed me in the right direction. Once I added the UNC for the local server (e.g. \\SERVER01) to the list of Local Intranet Sites under Internet Explorer, the Unknown Publisher warnings stopped. Note: under Add this website to the zone, just type the UNC \\SERVER01. Internet Explorer converts it to file://server01.
Thanks. Great read.