• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1044
  • Last Modified:

Configure UAC to allow background admin function on domain computers??

Does anyone know how to configure windows UAC for computers on a domain so that they allow admin functions such as logon scripts mapping printers and installing software remotely to function, scheduled tasks, etc to run without completely turning of UAC or having a user present to constantly click the continue button to allow the process to run?

0
mattolan
Asked:
mattolan
  • 6
  • 5
1 Solution
 
maninblac1Commented:
You might try using "run as" and have it run as your domain admin account, i assume you have admin control over all machines.  I'm not entirely sure how you will present the password at that time.
0
 
mattolanAuthor Commented:
but how do I set run as globally for all computers? on something like a login script?
0
 
maninblac1Commented:
I'm not well versed in scripting, so see if this helps, i forgot that runas doesn't have a password argument for you to pass at runtime.

http://redmondmag.com/forums/forum_posts.asp?tid=3604&pn=1
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
mattolanAuthor Commented:
the scripts do work if the are run as administrator, but this is not a very good solution for what I need. the main script that is the issue is my logon script which is attached to the users account under active directory and runs when they login to a computer. there is no way to have this script run as admin, and I really don't want all of our users having to click ok, on 2 prompts for each of the 14 print drivers that it configures for them when the login.
0
 
maninblac1Commented:
What about using SMS (systems management server), i've recently learned about this as an alternative way to manage software and setup on domain computers without using AD or GPO.  AD makes SMS easier, as does GPO, but apparently this is fairly versatile.  I don't know the specifics of SMS or to what extent it can be used, but it might be able to do what you require.
0
 
mattolanAuthor Commented:
the question remains though, vista still prompts for everything and the user has to click yes or no,
0
 
maninblac1Commented:
SMS  provides a way to escalate priveleges on limited accounts (XP at least), that's why i suggested it.

The other thought i would have is that your script would edit one value in GP, and since the effect is dynamic, (as per the tech center whitepaper (http://technet2.microsoft.com/WindowsVista/en/library/00d04415-2b2f-422c-b70e-b18ff918c2811033.mspx?mfr=true)) you would be able to turn UAC off and on temporarily while the the script is running.

The value is
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Set it to "no prompt", install the printers etc, then change it back to "prompt for consent".  At worst this would require only one click by the user for the initial escalation.
0
 
mattolanAuthor Commented:
turning uac off requires a restart, and to turn it back on would require another restart
0
 
maninblac1Commented:
Yes, disabling UAC requires the reboot.  Disabling the prompts does not.

From the whitepaper.
"Modifying the User Account control: Run all administrators in Admin Approval Mode setting will require a computer restart before the setting becomes effective. All other UAC Group Policy settings are dynamic and do not require a reboot."


I suggested you edit the Admin Approval Mode for administrators settings, changing from prompt for consent to no prompt.

However, this requires that the users are "admins" and not standard users.  That's the only difference.

From the Whitepaper concerning, User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
"No prompt  The elevation occurs automatically and silently. This option allows an administrator in Admin Approval Mode to perform an operation that requires elevation without consent or credentials. Note: this scenario should only be used in the most constrained environments and is NOT recommended."

And as i said, this ONLY works if your users are admins on their respective machines, which it appears they are since they only have to "click through" prompts, you never mention that they need to enter passwords, so i'm assuming they are administrators running in admin approval mode, "prompt for consent" and not "prompt for credentials".

If this is not the case, then ignore my suggestion using a temporary GP edit to change UAC since they are standard users and would not be able to bypass UAC without a reboot and/or without credentials.

At that point your options are to have them click through the prompts, or try SMS to handle the administration through the server authority or some other script that can run the whole process at admin level after one prompt.  After that, i'm out of ideas.
0
 
mattolanAuthor Commented:
ok, I see what your saying, now will this scenario work if the user is a local admin on there machine and not a domain admin?

our users are set up as domain users, with local admin privilages on their machine only. (I'd prefer not to give them that either, except for a couple of applications that won't function without local admin rights)
0
 
maninblac1Commented:
Yes, local admin should be just fine.  As long as each machine is set to have their domain account as part of the "administrators" group on their machine, this should work without any problems.

The script should change the GP (since they are admins on their machine they should be able to change the GP) though, you might need to temporarily "unlock" gpedit so that the settings will stick.  From what i recall, if a setting is "enforced" by AD, it will not be changeable.  They will get the UAC prompt to allow the initial change, at which point it will set (admin approval behavior to "no prompt"), from there you'd save the local GP, and go about your merry way making the desired changes/additions.  Then at the end you can either set the GP back to what it was, or run gpupdate.exe /force to sync their machine with AD (gpupdate usually requires a reboot before settings take effect) but since this setting is dynamic, it would probably take effect immediately.

That's how i would try to do it.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now