Solved

Turn ON UAC for Windows 7 Pro on Windows Server 2008 domain

Posted on 2013-12-06
19
1,015 Views
Last Modified: 2013-12-13
I've 2 VM for test purpose.  One is on Windows Server 2008 R2 Std (which act as AD), the other one is on Windows 7 Pro and is logged on the domain.  

I'm trying to turn on the UAC from GPO on the server just like if it was setted locally at Level 3, but it doesn't seems to have any effect because when i start Registry Editor, it doesn't prompt or any other program that usually show an UAC Prompt, nothing show up.

Does anyone can tell me what i'm doing wrong?   Thank you

DETAILS

Each time i test a new set, i do the "gpupdate /force" command

GPO SETTINGS (For Level 3 UAC)

User Account Control: Admin Approval Mode for the Built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
0
Comment
Question by:cdebel
  • 8
  • 5
  • 3
  • +2
19 Comments
 
LVL 30

Accepted Solution

by:
renazonse earned 250 total points
ID: 39701994
If you run GPRESULT on the server does it show that it's applying the GPO?
0
 
LVL 11

Expert Comment

by:epichero22
ID: 39701995
What security level is the account your logging in with granted?  That might be a place to start.  If it's an administrator, I know that admins don't get prompted.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702001
Log in as a normal domain user and try, not as an admin.
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702082
@Epichero22 & Firebar: It's a simple domain user, it's not an admin.  

@renazonse: I've ran gpresult /h report.html.  I've named a GPO "Enable UAC".
From what i see, under Summary / Computer Configuration Summary / Group Policy Objects / Applied GPOs, i see that EnableUAC is applied to my domain.

And under Summary / User Configuration Summary / Group Policy Objects / Applied GPOs, there's none, and under Denied GPOs of the same section, i see Enable UAC.

I'm really unfamiliar with GPOs, is it because the settings are just applied to my server and not to any other computers?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702096
Is the computer in the same OU where the GPO is being applied?
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702097
@renazone: Here's the result file if it help
report.html
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702108
@Firebar: OU?  The domain is office.mydomain.com, and if i look in Active Directory Users and Computers under office.mydomain.com/Computers, i see this PC named "Test-PC".  Is that what you are asking for?
0
 
LVL 30

Assisted Solution

by:renazonse
renazonse earned 250 total points
ID: 39702110
Looks good, most likely you just need to reboot the server. This article says:

Note
You must restart your computer when you enable or disable UAC. Changing levels of notification does not require that you restart your computer.


http://technet.microsoft.com/en-us/library/dd759070.aspx
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702115
Right. I was curious as to whether or not you had an OU structure in play here. Even if you did, the GPO should still apply.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 100 total points
ID: 39702122
Does the user account have read access to the GPO?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 150 total points
ID: 39702134
I can see, the GPO is correctly applied on computer (Domain Controller)

Can you just run rsop.msc on computer to check weather it is showing applied or not ?

Just enable 1st two options as well in GPO, they are showing as disabled (Admin approval Mode and UI Access)

Mahesh
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702147
@renazone: After rebooting, Win7 computer seems to have access to the UAC Slider (with prompting).  But it doesn't seems to react the way i thought.  I was expecting a prompt when starting Registry Editor

@Firebar: It's just a test VM, i hae no other GPO, and i have no other user yet.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39702155
The registry can be disabled via GPO. You stop the users from even opening it.
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702158
@MaheshPM: When i run rsop.msc, i have some error message, and it's going to be a bit difficult to translate because this Win is in french.  But here how it look like:
"Unable to generate a dataset of result strategy.  In journalisation mode, the probables causes are the following: A group strategy have never been threated for the computer or the user... " (now it get unreadable because i see only the few 1-2 pixels at the top of every letters).

And in details it says: "Namespace is not valid"
0
 
LVL 30

Expert Comment

by:renazonse
ID: 39702163
You may not get prompted if you're an admin with a level 3 UAC.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39702179
It looks like GPO is not applied to computer due to some reason, might be local computer issue.
can you check some other client computer if policy is getting applied please

Mahesh
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702181
@Firebar: I understand that if it would be a real production environment, i wouldn't allow it.   But actually it was just for test purpose, to make it react just like if it would act on a Windows 7 Home Premium edition.  And on this version, if you set your UAC level to 3, and try to start the registry editor, you will get an UAC prompt.  I've found the registry responsible to disable that, but it just disable it completely... which is not what i'm trying to do at the moment.

@renazonse: it's not an admin... my user "cdebel2005" is just a regular domain user.
0
 
LVL 10

Author Comment

by:cdebel
ID: 39702224
@MaheshPM: I've managed to get it working, and even with the error message, when i look at the options for UAC, i see exactly what i've set on the server, and under the column "GPO Source", i see "Enable UAC" (the group i've defined for this purpose).

So it seems that the rules are applied properly.  

On the server, i've also went in Group Policy Management under "Group Policy Management/Group Policy Results and picked up the domain computer and the domain user i'm trying to test, and i see that under Computer Configuration Summary and User Configuration Summary, Enable UAC figure under Applied GPOs, so it's ok.

So my problem seems to be only with Registry Editor.  I've tried to change the GPO saying "Prompt for consent for non-Windows binaries" to "Prompt for consent on the secure desktop", and applied the GPupdate, but it doesn't change anything
0
 
LVL 10

Author Comment

by:cdebel
ID: 39717449
I'll consider this as solved because i get an UAC slider.  I'm not sure why the Reg Editor and other applications as Even Viewers doesn't trigger an UAC Prompt, but that's probably another problem.  Thank you for your help.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now