Why UAC Can Interfere with Add2Exchange Enterprise Replication Engine Operations

Windows Service Control Requirements

Applies to Add2Exchange Enterprise Edition
Recommended environment: Enablelua in registry hive set to 0
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Enablelua = 0

What we lose if left on or value of (1)
Sketchy interactive mode
No automation, bitlock reading and writing
Limited registry write access
Reduced ability for confirmation of alerted rels
No stopping, starting service through Console, as being prompted
No automatic permissions

The Add2Exchange replication engine operates as a Windows service for timing and the Add2Exchange Agent for synchronization. We use the Add2Exchange Console for relationship management.  This division of labor creates a more stable sync environment and UAC elevates communication between the three.  This is  undesirable.

Typical service names include:
Add2Exchange Service
Add2Exchange Agent
Add2Exchange Console

During normal operation, the system may need to:

  • Stop the replication service
  • Restart the service after configuration changes
  • Restart the service after updates
  • Restart modules during maintenance
  • Confirm relationships

Many actions are controlled through the Windows Service Control Manager (SCM).
Microsoft documentation: https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager

Controlling services requires administrative privileges such as:
SERVICE_START
SERVICE_STOP
SERVICE_CHANGE_CONFIG
SC_MANAGER_ALL_ACCESS

Reference:
Microsoft Learn – Service Security and Access Rights
https://learn.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights

UAC Token Filtering
When a user logs into Windows as an administrator, Windows actually creates two security tokens:

Token

Description

Standard Token

Used for normal application launches

Administrator Token

Used only when elevated

When a program launches normally, it receives the standard token, which removes administrative privileges.

Microsoft Learn:
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works

Because of this filtering:

  • The program appears to run as administrator
  • But does not actually possess service control privileges

When Add2Exchange tools or related automation attempt to stop or start services without elevation, Windows may return:

Access Denied
Error 5
Cannot open Service Control Manager

Example Scenario

A maintenance tool or automation routine attempts the following process:
1 Stop Add2Exchange service
2 Apply configuration update
3 Restart Add2Exchange service

If the process is not elevated, Windows blocks the service control operation.

Result:
StopService() failed
ERROR_ACCESS_DENIED
When the same operation is executed with elevation:
Run as Administrator or with prompt elevation, and the operation succeeds.

Why Level-2 Updates Require Elevated Privileges

The Level-2 Update is an advanced maintenance script used to update the replication server environment and performs multiple administrative operations including:

  • Windows update validation
  • Office / Exchange component updates
  • Add2Exchange application updates
  • Service restart operations
  • Registry modifications
  • System configuration verification

These operations interact with protected system areas such as:
C:\Program Files
HKLM registry hive
Windows Services
System scheduled tasks
All of these require elevated privileges.

Microsoft Learn – UAC Architecture: https://support.diditbetter.com/uac.aspx 
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/

Typical Level-2 Update Actions Requiring Elevation

Service Management
Stop-Service Add2Exchange
Start-Service Add2Exchange
Requires administrative privileges.
Reference: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service

Registry Access

Many Add2Exchange configuration values exist in:

HKLM\Software
HKLM\Software\WOW6432Node

Example location:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\OpenDoor Software®

Writing to these locations requires elevated privileges.

Microsoft Learn – Registry Security
https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-security-and-access-rights

Updating Program Files

Add2Exchange binaries are typically installed in:
C:\Program Files (x86)\DidItBetterSoftware and
C:\Program Files (x86)\Open Door Software
Because this directory is protected by Windows security, modifications require administrator privileges.

System Component Updates
Level-2 updates may update or verify:
.NET runtime
Microsoft Office components
Exchange Web Services dependencies
PowerShell modules
Windows update for critical service packs

These changes require system-level permissions.

Why Automation Scripts Must Run Elevated

Add2Exchange environments often rely on automation tools including:

  • PowerShell scripts
  • Maintenance scripts
  • Monitoring utilities
  • Scheduled maintenance jobs

If these scripts are launched from a non-elevated environment, they inherit the filtered token.

This prevents them from performing operations such as:
Restart-Service
Install updates
Modify registry keys
Write to protected directories

Example failure:
Stop-Service : Cannot open service on computer '.'
Access is denied

Recommended Server Configuration for Replication Servers

Add2Exchange replication servers are dedicated infrastructure servers, not general user workstations and are not being used by users.
Because they perform automated system operations, configuration should prioritize reliability and automation stability.
The following practices are recommended.

1 Run Administrative Tools Elevated
All maintenance tools should be executed using:
Run as Administrator
This includes:PowerShell maintenance scripts:

  • Level-2 update scripts
  • Add2Exchange configuration utilities

2 Use Elevated Scheduled Tasks

Automation scripts should be executed via Task Scheduler with the following settings:
Run with highest privileges
Run whether user is logged in or not
This ensures the script receives the full administrator token.

Reference:
https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page

3 Dedicated Replication Server

Replication servers should ideally be:

  • dedicated systems
  • not used for daily user tasks
  • not used for general application installs

This minimizes conflicts and improves reliability.

4 Avoid Interactive User Restrictions
Since replication servers run automated services continuously, excessive UAC prompts can interrupt maintenance processes.
Administrators should ensure maintenance scripts and update tools are executed with proper elevation to avoid interruptions.

5 Maintain Consistent Update Practices

Add2Exchange servers should follow a controlled update cycle:
Recommended cadence:
Quarterly Level-2 system updates
Immediate installation of critical security patches
Performing updates in controlled batches keeps the system in band with tested versions of:

 

6 Monitor Service Health

Because replication engines depend on service uptime, administrators should monitor:
Add2Exchange service state
Sync cycle completion and alert report timings
Event logs
Restart operations must always occur under elevated privileges.

Summary
User Account Control (UAC) protects Windows systems by preventing applications from automatically obtaining administrative privileges. However, because UAC filters administrator tokens, applications launched normally may not possess the permissions required to control Windows services or modify protected system resources.

In Add2Exchange environments this can cause failures when:

  • stopping or starting replication services
  • performing Level-2 updates
  • executing automation scripts
  • modifying registry configuration
  • updating program files

To avoid these issues, replication server maintenance operations should always be executed with elevated privileges or UAC turned off.

Using elevated scripts, scheduled tasks with highest privileges, and maintaining a dedicated replication server environment ensures reliable operation of the Add2Exchange replication engine.

Key References

Microsoft Learn – User Account Control Overview
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/

Microsoft Learn – How UAC Works
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works

Microsoft Learn – Service Security and Access Rights
https://learn.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights

Microsoft Learn – Service Control Manager
https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager

Microsoft Learn – PowerShell Service Management
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service

Microsoft Learn – Windows Task Scheduler
https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page

|

Website and materials copyright 2008-2014, all rights reserved DidItBetter.com Software. US: 800-837-8636 Intl: 001-813-977-5739

DidItBetter.com Software specializes in Exchange Sync and Hosting, Outlook Task Management and CRM solutions.