Solved

Turn ON UAC for Windows 7 Pro on Windows Server 2008 domain

Posted on 2013-12-06
19
1,021 Views
Last Modified: 2013-12-13
I've 2 VM for test purpose.  One is on Windows Server 2008 R2 Std (which act as AD), the other one is on Windows 7 Pro and is logged on the domain.  

I'm trying to turn on the UAC from GPO on the server just like if it was setted locally at Level 3, but it doesn't seems to have any effect because when i start Registry Editor, it doesn't prompt or any other program that usually show an UAC Prompt, nothing show up.

Does anyone can tell me what i'm doing wrong?   Thank you

DETAILS

Each time i test a new set, i do the "gpupdate /force" command

GPO SETTINGS (For Level 3 UAC)

User Account Control: Admin Approval Mode for the Built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
0
Comment
Question by:cdebel
  • 8
  • 5
  • 3
  • +2
19 Comments
 
LVL 30

Accepted Solution

by:
renazonse earned 250 total points
ID: 39701994
If you run GPRESULT on the server does it show that it's applying the GPO?
0
 
LVL 11

Expert Comment

by:epichero22
ID: 39701995
What security level is the account your logging in with granted?  That might be a place to start.  If it's an administrator, I know that admins don't get prompted.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702001
Log in as a normal domain user and try, not as an admin.
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702082
@Epichero22 & Firebar: It's a simple domain user, it's not an admin.  

@renazonse: I've ran gpresult /h report.html.  I've named a GPO "Enable UAC".
From what i see, under Summary / Computer Configuration Summary / Group Policy Objects / Applied GPOs, i see that EnableUAC is applied to my domain.

And under Summary / User Configuration Summary / Group Policy Objects / Applied GPOs, there's none, and under Denied GPOs of the same section, i see Enable UAC.

I'm really unfamiliar with GPOs, is it because the settings are just applied to my server and not to any other computers?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702096
Is the computer in the same OU where the GPO is being applied?
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702097
@renazone: Here's the result file if it help
report.html
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702108
@Firebar: OU?  The domain is office.mydomain.com, and if i look in Active Directory Users and Computers under office.mydomain.com/Computers, i see this PC named "Test-PC".  Is that what you are asking for?
0
 
LVL 30

Assisted Solution

by:renazonse
renazonse earned 250 total points
ID: 39702110
Looks good, most likely you just need to reboot the server. This article says:

Note
You must restart your computer when you enable or disable UAC. Changing levels of notification does not require that you restart your computer.


http://technet.microsoft.com/en-us/library/dd759070.aspx
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702115
Right. I was curious as to whether or not you had an OU structure in play here. Even if you did, the GPO should still apply.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 100 total points
ID: 39702122
Does the user account have read access to the GPO?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 150 total points
ID: 39702134
I can see, the GPO is correctly applied on computer (Domain Controller)

Can you just run rsop.msc on computer to check weather it is showing applied or not ?

Just enable 1st two options as well in GPO, they are showing as disabled (Admin approval Mode and UI Access)

Mahesh
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702147
@renazone: After rebooting, Win7 computer seems to have access to the UAC Slider (with prompting).  But it doesn't seems to react the way i thought.  I was expecting a prompt when starting Registry Editor

@Firebar: It's just a test VM, i hae no other GPO, and i have no other user yet.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702155
The registry can be disabled via GPO. You stop the users from even opening it.
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702158
@MaheshPM: When i run rsop.msc, i have some error message, and it's going to be a bit difficult to translate because this Win is in french.  But here how it look like:
"Unable to generate a dataset of result strategy.  In journalisation mode, the probables causes are the following: A group strategy have never been threated for the computer or the user... " (now it get unreadable because i see only the few 1-2 pixels at the top of every letters).

And in details it says: "Namespace is not valid"
0
 
LVL 30

Expert Comment

by:renazonse
ID: 39702163
You may not get prompted if you're an admin with a level 3 UAC.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39702179
It looks like GPO is not applied to computer due to some reason, might be local computer issue.
can you check some other client computer if policy is getting applied please

Mahesh
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702181
@Firebar: I understand that if it would be a real production environment, i wouldn't allow it.   But actually it was just for test purpose, to make it react just like if it would act on a Windows 7 Home Premium edition.  And on this version, if you set your UAC level to 3, and try to start the registry editor, you will get an UAC prompt.  I've found the registry responsible to disable that, but it just disable it completely... which is not what i'm trying to do at the moment.

@renazonse: it's not an admin... my user "cdebel2005" is just a regular domain user.
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702224
@MaheshPM: I've managed to get it working, and even with the error message, when i look at the options for UAC, i see exactly what i've set on the server, and under the column "GPO Source", i see "Enable UAC" (the group i've defined for this purpose).

So it seems that the rules are applied properly.  

On the server, i've also went in Group Policy Management under "Group Policy Management/Group Policy Results and picked up the domain computer and the domain user i'm trying to test, and i see that under Computer Configuration Summary and User Configuration Summary, Enable UAC figure under Applied GPOs, so it's ok.

So my problem seems to be only with Registry Editor.  I've tried to change the GPO saying "Prompt for consent for non-Windows binaries" to "Prompt for consent on the secure desktop", and applied the GPupdate, but it doesn't change anything
0
 
LVL 10

Author Comment

by:cdebel
ID: 39717449
I'll consider this as solved because i get an UAC slider.  I'm not sure why the Reg Editor and other applications as Even Viewers doesn't trigger an UAC Prompt, but that's probably another problem.  Thank you for your help.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now