UAC on Win2k8/VIsta x64 - local "Administrator" works but domain account in Administrators group fails?

Question

I have come across a strange problem in one of our applications on win2k8/Vista x64 with UAC enabled. It is a process which hosts the UI for our service and runs in the context of the logged on user.

When logged in as a domain user who is a member of the "Administrators" group, writing to the registry under HKLM fails due to UAC with access denied.

But when logged in as the local "Administrator" account (non-domain) then writing to the registry succeeds.

Both accounts are adminstrators - is there a distinction between domain and non-domain accounts with UAC? What gives?

Answer 1

Thanks... from further reading it seems that it does affect vista as well:

"Being part of the Local Administrator Group doesn't provide the same access as the Local Administrator Account (the same also applies to Windows Vista). With Windows Server 2K8, the administrator access token is split into 2 tokens when logged into the server. One of these is an administrator token and the other a standard user token. During the logon process, authorization and access control components that identify an administrator are removed, leaving a standard user token. The standard user token is used to start the desktop and, therefore, all applications that start run as a standard user."