Hello, We are starting to deploy Win7 to our employees and have run into something that is perplexing. Not really sure how to approach this and I will try to type it out so its not confusing. Win 2003 Domain Win7 Pro SP1 32bit Windows users are members of Local User group only (by being members of Domain Users AD group) Domain Admins and Enterprise Admins, are members of local Administrators group. The network team members have a regular user account and an elevated Domain or Enterprise admin account. At first testing most domain admins were not members of domain users AD group. Win7 User Access control was set to "default - Notify me only when programs try to make changes to my computer. Don't notify me when I make changes to windows settings." Issue first came up after going thru our normal build pc process and rebooting the pc, when my elevated account logged onto windows, I got a black desktop with a white cursor. I could hit Ctrl-Alt-Del and see the screen but esc out and just black. If I add my elevated account to the domain users group and log on, I get my desktop back. Thats all good, except Windows seems to be treating my logged on account as a domain user rather than ad admin user. It seems to take the least priviledge approach. When trying to access a folder that was granted security to admins only, it tells me that my elevated account needs to be added explicitly. I can install pgms, make system changes, etc, just can't access the folder structure. If I try a run as admin for command prompt when logged in with my elevated account being a member of domain admin, then launch a explorer window from the "elevated command prompt" I still don't have access to the folder structure. With WinXP this works, but I am beginning to think that Microsoft dropped that functionality with Win7 and seems like everyone is considered a local user...or the OS having issue picking which access code token to look at (user or admin). Summary: If not member of a local user group and UAC is set to default, user gets black desktop after initial logon. If log on account mbr of local user group and local admin group, local user group wins on file access. We thought maybe we could turn of User Access Control just for admins, but it seems that it is an all users setting. If UAC is enabled and my logging on acct isn't mbmer of a user group, I can't function with a black desktop, but if I could see, I could probably access the Admin only folders :) Thanks Amy

More info - IF I log onto the pc with the Local Adminstrator's account, I do not get a black desktop. IF I log on to the pc with a regular domain user, I do not get the black desktop. If I log on with a domain Admin account (and that account isn't a member of the group defined in the local user group) I get a black desktop. It only comes out of the blackness when my screen saver or desktop locks because of inactivity.

Hi, According your description, I don’t think this is a UAC related issue. Since your local admin group works fine on your machine. I suspect that this problem is caused by GPO. I suggest that you may try to create a new OU with a clean default group policy as a test. Move the admin account into the new OU. Then try to logon with this account again. AlsoI suggest that you may use” gpresult /h” command to export the group policy to the report in order to check whether this problem is caused by GPO confliction issue. Also please refer: http://answers.microsoft.com/en-us/windows/forum/windows_7-system/black-screen-after-domain-admin-login-with-windows/faf9b604-22c9-4ba9-808b-aa0c11845588 Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Zhen Tan, When I run the gpresult /h, what am I looking for relating to possible GPO confliction issues. I see sections with headings of denied GPOs. Most reason denied is Empty and one Inaccessible, for the computer section. On the user section, two state Access Denied (Security Filtering) the rest Empty for the Reason Denied. The other link in the post, not sure it applies. We have domain users in our local user group...but my Domain admin account isn't a member of domain users, just domain admins.

I did as suggested. I created an OU in our domain. I blocked GPO inheritance. I moved my win7 pc, I moved my domain user account and I moved my domain admin account to the new OU created. I also turned User Access Control back to the default (always notify) setting. I then rebooted and ran gpresult /r, under both my domain user and domain admin credentials, until no reference of GPO assigned showed up. I then logged onto the pc with my domain admin account and I get a black screen. If I logon with my domain user account, I get my desktop. If I log on with the non domain admin account, I get a desktop. I then put UAC to notify but don't dim my desktop. Logon on with domain admin account, I get a black desktop Is almost like Microsoft decided that with Win7 and UAC enabled, it only wants members of a local user group to logon and interact. If administrative functions are required, then the user is prompted for admin credentials. Ahhhhhhhh :)

Hi, I even want to confirm the following with you: 1. The problem you met is a black screen or black desktop? 2. You said you hit Ctrl +Alt +Del to exit the “black screen”, I suggest that you may call Task Manager after you hit “Ctrl +Alt +Del” then try to run explorer.exe. Check the result. 3. Also I suspect this problem may be caused by “default user” folder corrupted. Please understand, Windows need some data from “default user” when cresting a new account. You may try to create another domain user account then try to logon this computer with this account to check this issue. Please let me know the result. Looking forward your reply. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi 1. I guess black desktop, cause I can see a white mouse. 2. When I click Start Task Manager after Ctrl-Alt-Del, it takes me back to the black desktop with my wte mouse. :) 3. When the UAC settings are where they are...and I log on with my domain account I get a desktop just fine. I do work I reboot, then the black desktop appears. Reboot, same thing. I can have another domain admin log on and their experience is the same. I can log on with my local built in admin account, delete my domain admin windows profile, logon with that DA account and I get a desktop...the story is the same at next reboot.

Hi, I even want to confirm the following with you: 1. The problem you met is a black screen or black desktop? 2. You said you hit Ctrl +Alt +Del to exit the “black screen”, I suggest that you may call Task Manager after you hit “Ctrl +Alt +Del” then try to run explorer.exe. Check the result. 3. Also I suspect this problem may be caused by “default user” folder corrupted. Please understand, Windows will create a user profile when a user first logon the computer. Windows needs default user folder when creating new user profile. You may try to create another domain user account then try to logon this computer with this account to check this issue. Please let me know the result. Looking forward your reply. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

Hi, Please also check the registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="explorer.exe" Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It says explorer.exe

I found this happening on a new deployment of Windows 7 machines, 4 occured last week out of 22 stations. Plus 1 Vista on a different network. Only common thread is that the users were logged on when a 3AM Update ran. The system may have not rebooted, but the System Protection all shows a 3AM Critical Update backup. It is the users profile that is hosed. If you login with any other account other than the one that was logged in you are fine. If you restore the USERS directory from before the update, it works again. So in my case it is not user rights or access. In 50% of the cases the System Protection recovery worked if i went back to the day before. In the other 50% the user profile is corrupt and it's simpler to reboot, login as the local admin, delete the profile and then have the user login, so fresh profile is created and copy the files for Docs and settings manually. I'd love to know the root cause if this.John Rutkowski BOLDER Designs

FYI I did check Shell, I did scan with MALWAREBYTES and MS Live AV. No virus or root kits found.John Rutkowski BOLDER Designs

I believe I recall if I deleted the "bad" users profile, the next logon the profile got created and all was fine, until a reboot, then the black screen (desktop) was back. I don't recall if just a log off log on did this or a reboot. Unfortunatly, right now I do not have a Windows 7 machine to do any testing with. :( And the fact that IF I turn of UAC, the desktop displays as you would expect. If it was a corrupt profile, in my case, I would think turning off UAC wouldn't effect the display of the desktop. Does anyone from Microsoft read these forums :)