Solved

Cannot get application to run on an terminal server without a UAC popup

Posted on 2013-01-23
10
5,355 Views
Last Modified: 2014-02-19
I have a Server 2008 R2 Standard server with 5 RDS CALs. They run the E2 Shop Tech software which is located on the D: drive under the Data share. The data share has full access rights for Domain Users. When a user clicks on the programs icon, a UAC message pops ups asking Do you want to allow the software to make changes to your computer and asks for an administrators credentials. I tried to fix this thru by changing the Local Security Policies in various combinations, none if which worked. When I changed the last one, Run all administrators in admin Approval mode to disabled it wont run or prompt for credentials.  I added a user to the administrators group and he can run it. Any suggestions how to get this working for all users without being an admin.  Here are the current UAC Settings:
Local Security Policies, Local Policies, Security:
UAC: Admin Approval Mode for the Built-in Administrator account = Disabled
UAC: Allow UIAccess applications to prompt for elevation without using secure desktop = Enabled
UAC: Behavior of the elevation prompt for administrator in admin approval mode = Elevate without prompting
UAC: Behavior of the elevation prompt for standard users = prompt for credentials
UAC: Detect application and prompt for elevation = Disabled
UAC: Only elevate executables that are signed and validated = Disabled
UAC: Only elevate UIAccess applications that are installed in secure locations = Disabled
UAC: Run all administrators in Admin approval mode = Disabled
UAC: Switch to the secure desktop when prompting foe elevation = Enabled
UAC: Virtualize file and registry write failures to per-user locations = Enabled
0
Comment
Question by:THEarle
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
From this: http://serverfault.com/questions/178360/grant-admin-rights-to-a-certain-program-for-all-users

Thanks for the answers, this is how I ended up solving it:

1.Create a Scheduled Task in the task scheduler. The scheduled task launches the application. Set the task to run at highest privilege level.
2.Create a shortcut on the desktop of all the users needing to run the application. The shortcut ended up looking like this: C:\Windows\System32\schtasks.exe /run /tn "Name of task"
The only downside of this is that i need to create a separate task for every user, but I think it works just fine.
0
 
LVL 23

Expert Comment

by:Brian B
Comment Utility
Two things to check.

1. Was the application installed as a remote desktop application via control panel? The server needs to configure it properly.
2. Does its vendor support running it on a Remote Desktop (terminal) server? Some programs just don't work in that environment.

I am assuming of course that this program runs fine on a standalone workstation with user credentials, or does it require admin privleges there as well?
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
I don't know anything about this particular piece of software, but I obviously have a heavy TS/Citrix background.   If your app is tripping the UAC flag, then some protected area is being modified by the application.  

The first thing to do is dig out SysInternals Process Monitor and see where you are getting tripped up.  One of the more common things is the app may be trying to write to a log file under the Windows directory, one of the Program Files directories, or maybe even the ProgramData directory.  

Coralon
0
 

Author Comment

by:THEarle
Comment Utility
Thanks everyone for your feedback.  I will be going on site in a day or so to try the scheduled task solution and begin the program trace with SysInternals.
The program was loaded from the server console not thru RDS.  The program was not loaded to the C:\Program Files\ folder, it was isolated in the D:\Data share where user rights are full.   I thought the UAC policy for protected areas was the solution but that did not work.  I will keep up on my progress. Thanks.
0
 
LVL 23

Expert Comment

by:Coralon
Comment Utility
You are correct about UAC being for the protected system areas (c:\windows c:\program files c:\program files (x86) c:\programdata c:\users etc.)  But, the fact that you are still tripping UAC even though the app is being installed to a non-system area, means that there is almost certainly a component of the app that is writing to a protected area (either memory or file system).

Coralon
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:THEarle
Comment Utility
Sorry I have not been able to get onsite yet, as soon as I can I will update you.
0
 

Author Comment

by:THEarle
Comment Utility
I've requested that this question be deleted for the following reason:

Solved with tech support from the vendor.
0
 
LVL 23

Expert Comment

by:Brian B
Comment Utility
I am objecting because I asked you to confirm if the program was installed as a remote desktop application and it sounds like that fact you didn't do this was part of the problem. Could you please provide a more thorough explanation of what finally solved the problem? This answer will also help other who may have the same problem as you.
0
 

Author Comment

by:THEarle
Comment Utility
I apologize for asking for deletion, I simply wanted to close the open case. I also apologize for not getting back to this case timely. The solution to the problem was indeed a permission problem. Despite being installed on D:, the vendor admitted that they do have hard code pointing to c:\winodws to setup some temp and log files. UAC did have to be turned off completely in order to install and run the application. Once that was done and we allowed the app to write to protected area, it installed correctly.  Thank you very much for your help and again I am sorry I did not properly close the case in a timely manner.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
Comment Utility
I'd ask that you award some points for this.  I pointed out exactly the problem that your vendor confirmed - writing to a protected area (c:\windows\).  And TBone2k also asked some relevant questions (install mode).  

Thanks,

Coralon
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now