UAC & Citrix - program prompting for admin credentials

server 2008r2 & r2 sp1 enviro with xenapp 6.5.  UAC was disabled when all of the servers were set up.  I have one program that started prompting for admin credentials when the user tried to open it about 4 months ago.  I have another program that just started doing this a few days ago on a few servers (i have 15) and quickly spread to the rest within 2-3 days.  No windows updates were performed, in fact the update and installer service is disabled.  This program has worked fine in this enivronment for 3+ months, now it cannot be used at all.  For the first program i had tried using a program called UAC controller, however this fix only works for 1 -2 days before it prompts for credentials again, and re-enabling the uac controller requires rebooting the servers.  I read somewhere a while back that there may be a DACL list that is "updated" and causes this, then could potentially travel from server to server via the user's roaming profiles?  I'm not sure where to look and cannot find any detailed info on how to chase it down.  any help or suggestions would be great as this is starting to have a negative effect on my users.
Who is Participating?
GreshAssocConnect With a Mentor Author Commented:
this is an actual locally installed program, not a website, so the trusted zones didnt help.  I have been through the layers flags already as well, nothing there has worked.  The 2nd program that just started having issues was resolved by the software vendor.  turns out an update program runs periodically which is what was prompting uac.  solution to that was to schedule the updater to run via scheduled task and redirect the program shortcut to a different executable that does not call for the updater program.  The program that has been a long time issue is attached to a local mysql database on each server, i have a feeling that is what is prompting for rights.
Casey HermanCitrix EngineerCommented:
I had something similar to this happen to me.  

The way I fixed it was added the file locations to Trusted Sites in Group Policy.

That forced the file servers to trust the locations of the user data that was applied to the server.  

What I was seeing is the location of the file server that had the shortcuts for roaming profiles was throwing up the error.

So in GPO

User config ->administrative templates-> Windows Components->Internet Explorer-> Internet Control Panel->Security Page

The go to

Site to Zone Assignment List - > Enabled
Hit "Show"

Then I assigned my file server shares in the list.

Example with no Quotes

Value Name

Value "1"

This assigns your file server to Intranet Zone.

So all files from the file server are then trusted. Including Shortcuts, favorites, profile data and what not.

Hope this helps.

Another option maybe to set up compatibility mode for the app to Run as admin.  (I have a program that I have to do that with even though UAC is turned off).  

The registry key is:
HKLM\Software\Microsoft\Windows NT\AppCompatFlags\Layers

HKLM\Software\Wow6432Node\Microsoft\Windows NT\AppCompatFlags\Layers

The value name is the full path to the executable, and the value is RUNASADMIN.  (If you have multiple compatibility flags, they are simply listed as a space-delimited string).

GreshAssocAuthor Commented:
partial work around only for 2nd program.  primary program in question has since been removed
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.