Cannot get application to run on an terminal server without a UAC popup

Posted on 2013-01-23
Last Modified: 2014-02-19
I have a Server 2008 R2 Standard server with 5 RDS CALs. They run the E2 Shop Tech software which is located on the D: drive under the Data share. The data share has full access rights for Domain Users. When a user clicks on the programs icon, a UAC message pops ups asking Do you want to allow the software to make changes to your computer and asks for an administrators credentials. I tried to fix this thru by changing the Local Security Policies in various combinations, none if which worked. When I changed the last one, Run all administrators in admin Approval mode to disabled it wont run or prompt for credentials.  I added a user to the administrators group and he can run it. Any suggestions how to get this working for all users without being an admin.  Here are the current UAC Settings:
Local Security Policies, Local Policies, Security:
UAC: Admin Approval Mode for the Built-in Administrator account = Disabled
UAC: Allow UIAccess applications to prompt for elevation without using secure desktop = Enabled
UAC: Behavior of the elevation prompt for administrator in admin approval mode = Elevate without prompting
UAC: Behavior of the elevation prompt for standard users = prompt for credentials
UAC: Detect application and prompt for elevation = Disabled
UAC: Only elevate executables that are signed and validated = Disabled
UAC: Only elevate UIAccess applications that are installed in secure locations = Disabled
UAC: Run all administrators in Admin approval mode = Disabled
UAC: Switch to the secure desktop when prompting foe elevation = Enabled
UAC: Virtualize file and registry write failures to per-user locations = Enabled
Question by:THEarle
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 43

Expert Comment

by:Davis McCarn
ID: 38814750
From this:

Thanks for the answers, this is how I ended up solving it:

1.Create a Scheduled Task in the task scheduler. The scheduled task launches the application. Set the task to run at highest privilege level.
2.Create a shortcut on the desktop of all the users needing to run the application. The shortcut ended up looking like this: C:\Windows\System32\schtasks.exe /run /tn "Name of task"
The only downside of this is that i need to create a separate task for every user, but I think it works just fine.
LVL 24

Expert Comment

by:Brian B
ID: 38815326
Two things to check.

1. Was the application installed as a remote desktop application via control panel? The server needs to configure it properly.
2. Does its vendor support running it on a Remote Desktop (terminal) server? Some programs just don't work in that environment.

I am assuming of course that this program runs fine on a standalone workstation with user credentials, or does it require admin privleges there as well?
LVL 25

Expert Comment

ID: 38817154
I don't know anything about this particular piece of software, but I obviously have a heavy TS/Citrix background.   If your app is tripping the UAC flag, then some protected area is being modified by the application.  

The first thing to do is dig out SysInternals Process Monitor and see where you are getting tripped up.  One of the more common things is the app may be trying to write to a log file under the Windows directory, one of the Program Files directories, or maybe even the ProgramData directory.  

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.


Author Comment

ID: 38828555
Thanks everyone for your feedback.  I will be going on site in a day or so to try the scheduled task solution and begin the program trace with SysInternals.
The program was loaded from the server console not thru RDS.  The program was not loaded to the C:\Program Files\ folder, it was isolated in the D:\Data share where user rights are full.   I thought the UAC policy for protected areas was the solution but that did not work.  I will keep up on my progress. Thanks.
LVL 25

Expert Comment

ID: 38829288
You are correct about UAC being for the protected system areas (c:\windows c:\program files c:\program files (x86) c:\programdata c:\users etc.)  But, the fact that you are still tripping UAC even though the app is being installed to a non-system area, means that there is almost certainly a component of the app that is writing to a protected area (either memory or file system).


Author Comment

ID: 38857857
Sorry I have not been able to get onsite yet, as soon as I can I will update you.

Author Comment

ID: 39868297
I've requested that this question be deleted for the following reason:

Solved with tech support from the vendor.
LVL 24

Expert Comment

by:Brian B
ID: 39868298
I am objecting because I asked you to confirm if the program was installed as a remote desktop application and it sounds like that fact you didn't do this was part of the problem. Could you please provide a more thorough explanation of what finally solved the problem? This answer will also help other who may have the same problem as you.

Author Comment

ID: 39868400
I apologize for asking for deletion, I simply wanted to close the open case. I also apologize for not getting back to this case timely. The solution to the problem was indeed a permission problem. Despite being installed on D:, the vendor admitted that they do have hard code pointing to c:\winodws to setup some temp and log files. UAC did have to be turned off completely in order to install and run the application. Once that was done and we allowed the app to write to protected area, it installed correctly.  Thank you very much for your help and again I am sorry I did not properly close the case in a timely manner.
LVL 25

Accepted Solution

Coralon earned 500 total points
ID: 39871825
I'd ask that you award some points for this.  I pointed out exactly the problem that your vendor confirmed - writing to a protected area (c:\windows\).  And TBone2k also asked some relevant questions (install mode).  



Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question