Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 19, 2016 1:37 PM
Upgraded Win7 to Win10, everything working on Win10, as soon as I join the workstation to the domain and refresh policy I can't open "MS Edge", "Calculator", "Display settings" or "Personalize" menu, I receive error message "Settings can't be opened using the built-in administator account".
When I log in using a domain user account, without admin privileges, I still receive the error message when opening "Display settings" but when clicking OK it does show the "Display settings" screen.
UAC is on the lowest setting, one way to temporarily fix the issue is to put UAC on the highest setting and reboot the pc.
However when I have UAC on the highest setting I can't use "Run as" to start an executable using a different user account, it's blocked by our "Software restriction" policy, eventhough we have an exclusion for Administrators, even using Administrator credentials the "Software restricition policy" blocks running of executable setup files.
When I refresh the computer policy UAC is put back to the lowest setting and the "settings can't be opened" message returns when starting "calculator", "display settings" etc. but on the other hand using "Run as" to start an executable under an Administrator account starts working again.
I've searched different forum and there has been said this is by design and the way ms app security works, but it is a bad design, this needs to be fixed.
I'm testing out Win10 for our company to see whether we can upgrade our desktops and laptops without problems, however this is a big issue, we have a lot of developers who need local admin rights on their computer, for them it would mean they can't start any ms windows app or even go to their settings.
For normal users it means they get nagged by the error message everytime they try to start a ms windows app.
Thus far I've upgraded 4 pc's to win10 and all of them exhibit this issue.
Please offer us a solution to this problem.
All replies (6)
Tuesday, April 19, 2016 2:43 PM ✅Answered
Hello,
See follow steps mentioned here and see if they helps you:
Hope this helps, Good luck :)
Windows Troubleshooting & How to guides - http://www.kapilarya.com
Wednesday, April 20, 2016 5:58 AM ✅Answered
Hi Danieru san,
As ReginRavi pointed out, we could deploy that group policy on the domain controller to have a test. The corresponding registry key should be like this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
Best regards
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Tuesday, April 19, 2016 3:30 PM
Hello
Try this:
If you indeed logon with the built-in Administrator, please create another account.
Please check as the following:
Right click the Start button, select Computer Management, expand Local Users and Groups, Under Users to check your user account.
Alternatively, enable the Group Policy: User Account Control: Admin Approval Mode for the Built-in Administrator account.
open the Group Policy Editor.
Located to
Computer Configuration\Windows Settings\Security Settings\Local policies\Security Options\User Accoumt Control: Admin Approval Mode for the Build-in Administrator Account
- Click Enabled.
After that, log off and logon to check the result.
Regards, Regin Ravi
Monday, April 25, 2016 9:19 AM
Hello all, thank you for your suggestions, I will try them out to see whether they solve the problem and report back afterwards.
Wednesday, April 27, 2016 3:20 AM
Hi Danieru san,
Please remember to mark the replies as answers if they help.
Best regards
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Monday, December 11, 2017 10:08 AM
The error message is not the whole truth. It should be named
"This app can't open
Microsoft Edge can't be opened using an administrative token. Sign in with a different account with normal user rights and try again."
It's a security feature since Windows 8 that MODERN APPS cannot be started with an administrative token.
Only the built-in-Administrator has UAC disabled by default therefore he always has an administrative token, when he executes programs.
If you disable also UAC for "normal" admins (members of the local Administrator group), then they also have always an administrative token when executing programs, therefore you got this (disleading) error message.
Greetings
René
Here are the 2 relevant UAC Policys.
Security Settings/Local Policies/Security Options:
User Account Control: Admin Approval Mode for the Built-In Administrator account => Disabled
User Account Control: Run all administrators in Admin Approval Mode => Enabled
If you leave the default setting (UAC disabled for Built-In Administrator, enabled for "Run all administrators in Admin approval mode"), than only the Built-In Administrator will receive the warning-message.
If you also disable "Run all administrators in Admin approval mode", than every administrator (member of local administrator group) will receive the warning-message and will not be able you use MODERN APPS.