A systems administrator is troubleshooting a PowerShell script that automates software patch installations on multiple Windows Server 2022 domain members. The script, which previously worked, now fails with "access denied" errors when attempting to modify protected system directories. The administrator confirms the script is being executed by a Domain Admins account. No anti-malware alerts have been triggered, and file permissions on the script itself are correct. The administrator suspects a recent security hardening GPO is the cause.
Which of the following security settings, when enabled via a Group Policy Object, is the most likely cause of the script's failure?
The correct answer is "User Account Control: Run all administrators in Admin Approval Mode". This is the fundamental setting that governs User Account Control (UAC) behavior for all administrative accounts. When this policy is enabled, members of the local Administrators group (including Domain Admins) run most applications and tasks with a standard user access token. A script that needs to modify protected system locations requires an elevated (full administrator) access token. If this policy was recently enabled via GPO, the script would start failing with "access denied" errors because it is no longer inheriting a full administrative token by default and must be explicitly elevated to perform its tasks.
AppLocker policies are used to control which applications and files users can run. An AppLocker block would typically prevent the script from running at all, rather than causing "access denied" errors during its execution.
The UAC policy for the behavior of the elevation prompt only defines how an administrator is prompted (e.g., for consent or credentials) when elevation is required; it does not determine if elevation is required in the first place for an admin account. The root cause of the need for elevation is Admin Approval Mode being active.
SELinux (Security-Enhanced Linux) is a security module for the Linux kernel and is not a component of the Windows Server operating system.