What a surprise that was to find out that by default if you do “run as admin” with AD account, the AD is not queried for account status as long as cached credentials are available. What does that mean?

Well, if you disable an AD Account or check “User must change password at next logon” the computer will ignore it when “run as admin”.

“Run as” on the other hand side, first checks the AD and then the cached credentials… and in my opinion that’s the correct sequence.

Anyway, there is a way to fix it.


Type: REG_DWORD
Name: InteractiveLogonFirst
Value: 00000001
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Advertisements