Share via

What event does GPU raise in event log when it turns UAC On on Windows server 2019?

Zhivko Gospodinov 1 Reputation point
2021-01-07T08:51:42.613+00:00

I work on a Win2019 server and there's a group policy which is being applied daily. It turns on my User account control prompt, which I'd like to avoid.
the policy name is:
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
I'd like to have a scheduled job which scans the EventLog for an entry and run a PS script to disable UAC prompt, however I can't find the Event ID logged in when the GPU updates the UAC policy for prompting on elevation.
Does someone know the Event ID?
Thank you in advance!

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-01-08T01:58:11.677+00:00

    Hi,

    To disable the policy User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" We just need to edit the GPO on which defined the policy by run command as administrator :gpresult /h report.html.

    Then on this GPO ,navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. On the right pane ,find the policy: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Right click policy setting, click Properties. Check the box Define this policy setting and choose Elevate without prompting.

    For the events, we need to enable the audit policy :
    The policy in interest is found at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

    Audit Privilege Use will give you information about elevated usage using the UAC consent.exe dialog box in the System Event log. The Event IDs created by this: 4648 and 4624.

    Audit Process Tracking will give you information about processes and their creation/termination. Event Id created by this: 4688.

    Also, look at event id 4696 to see when a new token (user-logon handle) was assigned to process. Using all these events, you can get a clear picture of the timeline for every process that requested an elevated rights with UAC dialog.
    Normally , the audit policy is used for troubleshooting .No need to be enabled all the time.

    Best Regards,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.