UAC is still a pain in the, uh, access

I’ve been at my new job for about two weeks now, and I’m starting to settle in. The past few work days I’ve been busy troubleshooting and tweaking AD and DNS for different remote sites, as that is an area that it’s easy for me to jump right in and be useful.

I’m also very pleased to have Windows 7 on a nice new computer here. I was never a fan of Windoze Vista and would go out of my way to avoid it, but so far I’ve been quite pleased with Win7 and the huge improvements M$ made over Vista.

One example of improvement is the reduction of the annoying UAC pop-up alerts. Since I’m a bit of a security wonk, I prefer not to disable the UAC prompts so I can clearly see when I’m running a process with “elevated” permissions. But still, sometimes they catch me off guard…

There’s one “gotcha” that bit me several times because I keep forgetting about it: when you’re checking Active Directory replication with REPADMIN.EXE, be sure to always run it (or rather, the CMD shell that launches it) with elevated permissions (that is, right-click the CMD shortcut and choose “Run as administrator”). If you forget to do this, you will see niggly little error messages like DsReplicaSync() failed with status 8453 (0x2105): Replication access was denied.

These false alarms look a lot like an actual replication problem you might have if your DCs are not in the “Domain Controllers” OU, are not flagged as DCs, or have mismatched Secure Channel Passwords. Last Friday I was cut by Occam’s razor when I had both the false alarm and the real one, defying one of the principle rules of diagnosis.

P.S. Just one more thing: in Googling topics related to the un-elevated REPADMIN.EXE errors, I discovered this informative blog post which helps explain how UAC really works which you may find interesting or worthwhile.