There is a new security feature in Windows 2008 and SBS 2008 called LUA (Local User Administrator). Basically, it’s another effort to break away from the time-honored tradition of logging into the computer with an account that has absolute control, when it is not necessary to do so. As malware becomes more sophisticated, it is increasingly dangerous to do so.

This latest feature has some definite drawbacks for the unaware though. You can find yourself unable to do certain administrative tasks, and not know why not. After all, your account is in the local administrators group. Heck, it’s even in Domain Admins, Schema Admins, and Enterprise Admins! Your account is effectively a god, and yet you can’t run a command-line backup.

I ran into this the other day on an SBS server, using the “wbadmin” utility. I got errors indicating that my permission level was not high enough, yet my account had all of the attributes listed above. It was, in fact, the admin account created for me by the SBS wizard. The actual “real” Administrator account was disabled – a default feature in SBS2008.

So in order to run the wbadmin utility, I had to enable the Administrator account, change its password so that I knew what it was, and then use RunAs to run the utility.

This is not so bad on the surface of things. It’s good security, and tolerable if you know about it. That’s where it all falls down though. None of the documentation I found regarding wbadmin, whether related to Windows 2008 or SBS2008, mentioned LUA or the fact that the real Administrator account was the only one I could use to run the commands they were telling me to run, nor that the account was in fact disabled.

I think we need a little work on that documentation, MS.

Tags: lua, runas, Security, wbadmin