CompTIA Server+ SK0-005 Practice Question

The correct answer is "User Account Control: Run all administrators in Admin Approval Mode". This is the fundamental setting that governs User Account Control (UAC) behavior for all administrative accounts. When this policy is enabled, members of the local Administrators group (including Domain Admins) run most applications and tasks with a standard user access token. A script that needs to modify protected system locations requires an elevated (full administrator) access token. If this policy was recently enabled via GPO, the script would start failing with "access denied" errors because it is no longer inheriting a full administrative token by default and must be explicitly elevated to perform its tasks.

• AppLocker policies are used to control which applications and files users can run. An AppLocker block would typically prevent the script from running at all, rather than causing "access denied" errors during its execution.
• The UAC policy for the behavior of the elevation prompt only defines how an administrator is prompted (e.g., for consent or credentials) when elevation is required; it does not determine if elevation is required in the first place for an admin account. The root cause of the need for elevation is Admin Approval Mode being active.
• SELinux (Security-Enhanced Linux) is a security module for the Linux kernel and is not a component of the Windows Server operating system.