Date: May 6, 2016
When configuring the ERPM admin console to use Console Privilege Elevation and enabling the Impersonation Feature, you receive error 740 and the console either fails to launch or launches as the interactive user.
The problem occurs on Windows Server 2008 and later when UAC is enabled or on 2012 R2 when the EnableLUA registry value is not disabled. The problem occurs primarily because the launching user's desktop is not available to present the UAC prompts to the user or proper notifications to the ERPM system.
There are multiple resolutions to the problem:
- Don't use the Impersonation feature. It is not recommended to use the feature as this basically inhibits the auditing from recording the actual user performing the operation; the auditing will reflect the impersonated user, not the interactive user. Impersonation will also also mean any user who launches the console, will gain the required administrative rights to launch the console. Rather it is recommended to properly assign permissions to users or groups in the ERPM DB and grant users the direct rights required to launch the console to improve auditing and overall security. To further lock down the console, use the Console Delegation permissions to limit what users can do while in the console.
- In 2008 and later, disable UAC. While this is not the best possible solution, it allows use of the feature.
- In 2012 R2, turn off UAC and set the registry value for EnableLUA to '0' to disable "least user access. This path is found at: HKLM\Software\Microsoft\Windows\CurrentVersion\pol icies\system >> EnableLUA. Once the value is changed to 0, you will need to restart the server.
- Enterprise Random Password Manager (ERPM)
- Random Password Manager (RPM)