While doing an install of SharePoint Server 2007 on Windows Server 2008 R2, my customer and I bumped into a problem: we couldn’t manually add some assemblies to the Global Assembly Cache (GAC). Obviously, UAC (User Account Control) was blocking us… but all of the standard tricks for jumping through UAC were failing. We tried:
Then chat with a colleague brought up an idea…is there some policy getting in the way?
I doubted that there was any specific group policy being pushed around UAC… that’s somewhat atypical. But what about a local policy?
There’s an entire list of local policies related to UAC…
After doing some looking around, I resolved to focus on the policy highlighted above: User Account Control: run all administrators in Admin Approval Mode. It was Enabled on their server.
First, About “Admin Approval Mode”. Taken literally, Admin Approval Mode means that any action that should only be achievable by an administrator must go through UAC’s “Admin Approval” (the secure screen that presents the approval). By default (as listed above), actions that require Administrator rights must go through the “Admin Approval Mode” process… even if the person doing the action is part of the Administrators group. Setting this to “Disabled” effectively means that Admin Approval Mode is no longer required for members of the local Administrators group… effectively disabling UAC entirely for those users.
So, we disabled it and rebooted (required for changes to the local security policy).
Our drag-and-drop to add assemblies to the GAC now works. Happiness ensued.
IMPORTANT: Disabling this can make it easier for malware to compromise your system. I encourage this to be disabled only temporarily so that the specific actions required may be taken, then re-enabled (along with the associated reboot) immediately at completion.
If you cannot change this policy, you may need to chat with your Active Directory Group Policy administrators, as it is possible to force this and/or override the local security policy with domain group policies.
I did it, but still i am not able to see my assembly in c:\windows\assembly\ after using gacutil -i mydll.dll command. please give me any suggestion.
Disabled it and rebooted, but still not allowed to drag-and-drop an assembly into C:\Windows\assembly using File Explorer in Windows 7.
You could just open a command prompt with elevated access and use gacutil.exe instead; it's not quite as user friendly, but doesn't require messing with settings that could open you to security vulnerabilities.
Hi Doug... unfortunately, we tried this and it still didn't get us through... hence the hacking.
I am also having the same problem. Admin approval mode is disabled. gacutil from elevated cmd and drag/drop from 2 elevated explorer windows both failing. Anyone have another idea?
Try looking through the security event log... do what messages do you receive when trying to do this?
Great tip, thanks! I was also in a situation where the "run as admin" trick failed and gacutil was not installed (it's a server). Temporarily disabling that policy did the works!
Thanks for the tip!
This post really raised my hopes because I've been battling with this problem for a long time. Unfortunately, it doesn't work on my server. Also, there's nothing in the event log. I simply receive a message box with a title of "Assembly Cache Viewer - Install Failed" and body text of "Access is denied: 'Microsoft.Practices.BizTalkOperations.dll'"
Hi Rob... I'm sorry this method didn't work for you. There are any number of other possibilities I can think of, but documenting them here would be extreme. I might suggest that creating a support request or chatting in the TechNet Forums... try this one for starters: social.technet.microsoft.com/.../threads
Worked for me.
1. GACUTIL is not supported on production systems so it's not better to use gacutil
2. after installing I changed the setting back so no security vulnerabilities ( except the long 5 minutes between reboots).