Monday, December 3, 2012

Event ID 4006 on Windows 2008 R2

A customer of mine phoned me today to tell me that all of its Windows 2008 R2 servers where coming up with blank desktops when they logged in with their domain administrator account.

After a few question, they told me that the affected server where new Windows 2008 R2 servers recently joined to a Windows 2003 domain.

Fortunately for me this is an old issue that I have met before, so I am here to share my solution which differs from the one proposed by Microsoft on Technet.

As explained on Technet, if you have a security group policy applied, it could happen that the Interactive account and the Authenticated Users group are remove from the local Users group.

It this happens, an event 4006 is looged in the event log upon login:

Log Name: Application
Source: Microsoft-Windows-Winlogon
Event ID: 4006
Level: Warning
User: N/A
Computer: W2K8SERVER
Description:
The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\system32\userinit.exe.

The solution proposed by Microsoft is to add the Authenticated Users group and Interactive account to the local Users group.

For me, the best thing to do on Windows 2008 servers is to disable UAC. The problem will be solved and you won't have to bother again about those painful security alerts which are most of the time unneeded on server platforms.

To disable UAC in a centralized manner, let's set up a new Group Policy.

Remember that starting from Windows Vista, you must use RSAT to create new GPOs.

So, in RSAT, move to Organizational Unit which contains your Windows 2008 servers and click on 'Create a GPO on this domain and link it here'.

When the Group Policy Management Editor pops up, move to 'Computer Configuration', 'Policies', 'Windows Settings', 'Security Settings', Local policies/Security options' and set the three following policies as shown here:
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting
  • User Account Control: Detect application installations and prompt for elevation: Disabled
  • User Account Control: Run all administrators in Admin Approval Mode: Disabled

GPO to disable UAC
Close the Editor to save and reboot your Windows 2008 servers twice. After the first reboot these settings will be applied but another reboot is required for the settings to become completely active.

I hope this post helps you. Do not hesitate to share your experience with this issue and to confirm that this solution has worked for you.

For more information about UAC, check this other posts: Disabling UACDisabling UAC part 2 and Windows 2008 R2 folder security issue and UAC.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...