Поделиться через

Add an assembly to the Global Assembly Cache on Windows Server 2008 R2

  • Статья

While doing an install of SharePoint Server 2007 on Windows Server 2008 R2, my customer and I bumped into a problem: we couldn’t manually add some assemblies to the Global Assembly Cache (GAC). Obviously, UAC (User Account Control) was blocking us… but all of the standard tricks for jumping through UAC were failing. We tried:

  • Start a cmd prompt with “Run as administrator” and then typing “explorer” (which in theory launches explorer as the UAC’d admin) to launch two windows. FAIL. My guess is that the Explorer process doesn’t receive the credentials of the UAC’d administrator when it launches.
  • run GACUTIL through a UAC’d command prompt… FAIL.(GACUTIL isn’t officially supported for production installs anyway).
  • “Disable” UAC. FAIL. Funny thing about 2008 R2… you never ACTUALLY disable UAC. You can tell it not to prompt you… but it will still roadblock you if something absolutely requires local administrator rights to accomplish.

Then chat with a colleague brought up an idea…is there some policy getting in the way?

I doubted that there was any specific group policy being pushed around UAC… that’s somewhat atypical. But what about a local policy?

There’s an entire list of local policies related to UAC…
image

After doing some looking around, I resolved to focus on the policy highlighted above: User Account Control: run all administrators in Admin Approval Mode. It was Enabled on their server.

First, About “Admin Approval Mode”. Taken literally, Admin Approval Mode means that any action that should only be achievable by an administrator must go through UAC’s “Admin Approval” (the secure screen that presents the approval). By default (as listed above), actions that require Administrator rights must go through the “Admin Approval Mode” process… even if the person doing the action is part of the Administrators group. Setting this to “Disabled” effectively means that Admin Approval Mode is no longer required for members of the local Administrators group… effectively disabling UAC entirely for those users.

image 

So, we disabled it and rebooted (required for changes to the local security policy).

Our drag-and-drop to add assemblies to the GAC now works. Happiness ensued.

IMPORTANT: Disabling this can make it easier for malware to compromise your system. I encourage this to be disabled only temporarily so that the specific actions required may be taken, then re-enabled (along with the associated reboot) immediately at completion.

If you cannot change this policy, you may need to chat with your Active Directory Group Policy administrators, as it is possible to force this and/or override the local security policy with domain group policies.

Comments

  • Anonymous
    February 06, 2011
    I did it, but still i am not able to see my assembly in c:windowsassembly after using gacutil -i mydll.dll command. please give me any suggestion.

  • Anonymous
    February 17, 2011
    Disabled it and rebooted, but still not allowed to drag-and-drop an assembly into C:Windowsassembly using File Explorer in Windows 7.

  • Anonymous
    March 08, 2011
    You could just open a command prompt with elevated access and use gacutil.exe instead; it's not quite as user friendly, but doesn't require messing with settings that could open you to security vulnerabilities.

  • Anonymous
    April 06, 2011
    Hi Doug... unfortunately, we tried this and it still didn't get us through... hence the hacking.

  • Anonymous
    May 16, 2011
    I am also having the same problem.  Admin approval mode is disabled.  gacutil from elevated cmd and drag/drop from 2 elevated explorer windows both failing.  Anyone have another idea?

  • Anonymous
    May 18, 2011
    Try looking through the security event log... do what messages do you receive when trying to do this?

  • Anonymous
    March 05, 2012
    Great tip, thanks!  I was also in a situation where the "run as admin" trick failed and gacutil was not installed (it's a server).  Temporarily disabling that policy did the works!

  • Anonymous
    May 03, 2012
    Thanks for the tip!

  • Anonymous
    June 07, 2012
    The comment has been removed

  • Anonymous
    June 08, 2012
    Hi Rob... I'm sorry this method didn't work for you. There are any number of other possibilities I can think of, but documenting them here would be extreme. I might suggest that creating a support request or chatting in the TechNet Forums... try this one for starters: social.technet.microsoft.com/.../threads Good luck!

  • Anonymous
    June 21, 2014
    Worked for me. Notes:

  1. GACUTIL is not supported on production systems so it's not better to use gacutil
  2. after installing I changed the setting back so no security vulnerabilities ( except the long 5 minutes between reboots). Thanks, Radu

  • Anonymous
    August 14, 2014
    Hello, I'm running into the same problem on my server and I've tried everything mentioned here and on other forums as well. I am still unable to view all the assemblies in C:windowsassembly When I run the gacutil /i to install my assembly, it says that it installed successfully, yet I'm unable to see it in the assembly folder. Furthermore, when I do a gacutil /l with the assembly name, it is unable to find it. Anyone have any other suggestions? Thanks in advance!

  • Anonymous
    September 17, 2014
    The comment has been removed