Attempting to provision a Windows VM to Microsoft Active Directory 2016 and above Domain Controller (Microsoft Endpoint) or when running LCT (LifeCycle Toolkit) on a Windows 2016 and above Server. vRO may display the following in the error log:
A required privilege is not held by the client
Microsoft User Account Control has a specific Security Policy that needs to be disabled on the Microsoft 2016 Server and above.
Policy Name: User Account Control: Run all administrators in Admin Approval Mode
- vRealize Automation 7.x
Workaround or Solution
Disabling the Admin approval mode can be achieved in two ways. (User Account Control: Run all administrators in Admin Approval Mode :: DISABLED)
- Setting the policy locally
- Setting the policy through group policy on the Domain Controllers OU so the change takes affect on all domain controllers
Local security policy on your domain controller/s
- Open Local Security Policy, on the Start screen, type secpol.msc, and then press ENTER.
- Navigate to Security Settings>Local Policies>Security Options
- Scroll to find the User Account Control: Run all administrators in Admin Approval Mode policy
- Right-Click and select Properties
- Select disable and click OK
- Confirm the setting is now DISABLED
- Repeat this for all domain controllers you will be using if applicable
Group policy update
WARNING: If you plan on using the group policy method for making this change please liaise with your Domain Administrators to discuss in detail if this is the best method for your organization and that there is a complete understanding on the impact this will have on your domain controllers
Depending on your organization will depend on who can create the group policy and who can apply it. Please follow your companies change control procedures and speak with the Domain Administrators for guidance and assistance.
- Create a group policy or modify the existing default domain controller policy
- In the group policy under computer configuration, navigate to Policies → Windows Settings → Security Settings → Local Policies → Security Options
- Scroll down on the right until you see User Account control: Run all administrators in Admin Approval Mode
- Right click this line and click on properties
- Place a check next to Define this policy setting and place a check in the radio box next to Disabled, then click OK
- You will now see the User Account control: Run all administrators in Admin Approval Mode is set to Disabled
- Close the Group Policy management Editor.
NOTE: Depending on how you have approached this policy will depend on if you have to attach the new policy to an OU, filtered to a specific group of servers or to the whole domain. Please do follow your companies change control procedures and liaise with your Domain Administrators for guidance.
Microsoft how to create a GPO : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-a-group-policy-object
Microsoft how to link a GPO to your domain : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain
Microsoft User account group policy : https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode