Add an assembly to the Global Assembly Cache on Windows Server 2008 R2

Add an assembly to the Global Assembly Cache on Windows Server 2008 R2

Rate This
  • Comments 13

While doing an install of SharePoint Server 2007 on Windows Server 2008 R2, my customer and I bumped into a problem: we couldn’t manually add some assemblies to the Global Assembly Cache (GAC). Obviously, UAC (User Account Control) was blocking us… but all of the standard tricks for jumping through UAC were failing. We tried:

  • Start a cmd prompt with “Run as administrator” and then typing “explorer” (which in theory launches explorer as the UAC’d admin) to launch two windows. FAIL. My guess is that the Explorer process doesn’t receive the credentials of the UAC’d administrator when it launches.
  • run GACUTIL through a UAC’d command prompt… FAIL.(GACUTIL isn’t officially supported for production installs anyway).
  • “Disable” UAC. FAIL. Funny thing about 2008 R2… you never ACTUALLY disable UAC. You can tell it not to prompt you… but it will still roadblock you if something absolutely requires local administrator rights to accomplish.

Then chat with a colleague brought up an idea…is there some policy getting in the way?

I doubted that there was any specific group policy being pushed around UAC… that’s somewhat atypical. But what about a local policy?

There’s an entire list of local policies related to UAC…
image

After doing some looking around, I resolved to focus on the policy highlighted above: User Account Control: run all administrators in Admin Approval Mode. It was Enabled on their server.

First, About “Admin Approval Mode”. Taken literally, Admin Approval Mode means that any action that should only be achievable by an administrator must go through UAC’s “Admin Approval” (the secure screen that presents the approval). By default (as listed above), actions that require Administrator rights must go through the “Admin Approval Mode” process… even if the person doing the action is part of the Administrators group. Setting this to “Disabled” effectively means that Admin Approval Mode is no longer required for members of the local Administrators group… effectively disabling UAC entirely for those users.

image 

So, we disabled it and rebooted (required for changes to the local security policy).

Our drag-and-drop to add assemblies to the GAC now works. Happiness ensued.

IMPORTANT: Disabling this can make it easier for malware to compromise your system. I encourage this to be disabled only temporarily so that the specific actions required may be taken, then re-enabled (along with the associated reboot) immediately at completion.

If you cannot change this policy, you may need to chat with your Active Directory Group Policy administrators, as it is possible to force this and/or override the local security policy with domain group policies.

Leave a Comment
  • Please add 2 and 2 and type the answer here:
  • Post
  • I did it, but still i am not able to see my assembly in c:\windows\assembly\ after using gacutil -i mydll.dll command. please give me any suggestion.

  • Disabled it and rebooted, but still not allowed to drag-and-drop an assembly into C:\Windows\assembly using File Explorer in Windows 7.

  • You could just open a command prompt with elevated access and use gacutil.exe instead; it's not quite as user friendly, but doesn't require messing with settings that could open you to security vulnerabilities.

  • Hi Doug... unfortunately, we tried this and it still didn't get us through... hence the hacking.

  • I am also having the same problem.  Admin approval mode is disabled.  gacutil from elevated cmd and drag/drop from 2 elevated explorer windows both failing.  Anyone have another idea?

  • Try looking through the security event log... do what messages do you receive when trying to do this?

  • Great tip, thanks!  I was also in a situation where the "run as admin" trick failed and gacutil was not installed (it's a server).  Temporarily disabling that policy did the works!

  • Thanks for the tip!

  • This post really raised my hopes because I've been battling with this problem for a long time. Unfortunately, it doesn't work on my server. Also, there's nothing in the event log. I simply receive a message box with a title of "Assembly Cache Viewer - Install Failed" and body text of "Access is denied: 'Microsoft.Practices.BizTalkOperations.dll'"

  • Hi Rob... I'm sorry this method didn't work for you. There are any number of other possibilities I can think of, but documenting them here would be extreme. I might suggest that creating a support request or chatting in the TechNet Forums... try this one for starters: social.technet.microsoft.com/.../threads

    Good luck!

  • Worked for me.

    Notes:

    1. GACUTIL is not supported on production systems so it's not better to use gacutil

    2. after installing I changed the setting back so no security vulnerabilities ( except the long 5 minutes between reboots).

    Thanks,

    Radu

  • Hello, I'm running into the same problem on my server and I've tried everything mentioned here and on other forums as well.

    I am still unable to view all the assemblies in C:\windows\assembly

    When I run the gacutil /i to install my assembly, it says that it installed successfully, yet I'm unable to see it in the assembly folder. Furthermore, when I do a gacutil /l with the assembly name, it is unable to find it.

    Anyone have any other suggestions?

    Thanks in advance!

  • So is there an approved way to add a dll to the GAC with UAC enabled? One cant be expected to reboot the server every time a new dll has to be added to the GAC. I tried "Run as Administrator" and this does not work either. If UAC is so obstructive it becomes self-defeating since everyone will turn it off anyways. There should be a safe way to add a dll to the GAC in UAC mode. Otherwise I dont know what MS was thinking.

Page 1 of 1 (13 items)