• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1144
  • Last Modified:

Turn ON UAC for Windows 7 Pro on Windows Server 2008 domain

I've 2 VM for test purpose.  One is on Windows Server 2008 R2 Std (which act as AD), the other one is on Windows 7 Pro and is logged on the domain.  

I'm trying to turn on the UAC from GPO on the server just like if it was setted locally at Level 3, but it doesn't seems to have any effect because when i start Registry Editor, it doesn't prompt or any other program that usually show an UAC Prompt, nothing show up.

Does anyone can tell me what i'm doing wrong?   Thank you

DETAILS

Each time i test a new set, i do the "gpupdate /force" command

GPO SETTINGS (For Level 3 UAC)

User Account Control: Admin Approval Mode for the Built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
0
Christian de Bellefeuille
Asked:
Christian de Bellefeuille
  • 8
  • 5
  • 3
  • +2
4 Solutions
 
Britt ThompsonSr. Systems EngineerCommented:
If you run GPRESULT on the server does it show that it's applying the GPO?
0
 
epichero22Commented:
What security level is the account your logging in with granted?  That might be a place to start.  If it's an administrator, I know that admins don't get prompted.
0
 
Jason WatkinsIT Project LeaderCommented:
Log in as a normal domain user and try, not as an admin.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Christian de BellefeuilleProgrammerAuthor Commented:
@Epichero22 & Firebar: It's a simple domain user, it's not an admin.  

@renazonse: I've ran gpresult /h report.html.  I've named a GPO "Enable UAC".
From what i see, under Summary / Computer Configuration Summary / Group Policy Objects / Applied GPOs, i see that EnableUAC is applied to my domain.

And under Summary / User Configuration Summary / Group Policy Objects / Applied GPOs, there's none, and under Denied GPOs of the same section, i see Enable UAC.

I'm really unfamiliar with GPOs, is it because the settings are just applied to my server and not to any other computers?
0
 
Jason WatkinsIT Project LeaderCommented:
Is the computer in the same OU where the GPO is being applied?
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
@renazone: Here's the result file if it help
report.html
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
@Firebar: OU?  The domain is office.mydomain.com, and if i look in Active Directory Users and Computers under office.mydomain.com/Computers, i see this PC named "Test-PC".  Is that what you are asking for?
0
 
Britt ThompsonSr. Systems EngineerCommented:
Looks good, most likely you just need to reboot the server. This article says:

Note
You must restart your computer when you enable or disable UAC. Changing levels of notification does not require that you restart your computer.


http://technet.microsoft.com/en-us/library/dd759070.aspx
0
 
Jason WatkinsIT Project LeaderCommented:
Right. I was curious as to whether or not you had an OU structure in play here. Even if you did, the GPO should still apply.
0
 
Jason WatkinsIT Project LeaderCommented:
Does the user account have read access to the GPO?
0
 
MaheshArchitectCommented:
I can see, the GPO is correctly applied on computer (Domain Controller)

Can you just run rsop.msc on computer to check weather it is showing applied or not ?

Just enable 1st two options as well in GPO, they are showing as disabled (Admin approval Mode and UI Access)

Mahesh
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
@renazone: After rebooting, Win7 computer seems to have access to the UAC Slider (with prompting).  But it doesn't seems to react the way i thought.  I was expecting a prompt when starting Registry Editor

@Firebar: It's just a test VM, i hae no other GPO, and i have no other user yet.
0
 
Jason WatkinsIT Project LeaderCommented:
The registry can be disabled via GPO. You stop the users from even opening it.
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
@MaheshPM: When i run rsop.msc, i have some error message, and it's going to be a bit difficult to translate because this Win is in french.  But here how it look like:
"Unable to generate a dataset of result strategy.  In journalisation mode, the probables causes are the following: A group strategy have never been threated for the computer or the user... " (now it get unreadable because i see only the few 1-2 pixels at the top of every letters).

And in details it says: "Namespace is not valid"
0
 
Britt ThompsonSr. Systems EngineerCommented:
You may not get prompted if you're an admin with a level 3 UAC.
0
 
MaheshArchitectCommented:
It looks like GPO is not applied to computer due to some reason, might be local computer issue.
can you check some other client computer if policy is getting applied please

Mahesh
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
@Firebar: I understand that if it would be a real production environment, i wouldn't allow it.   But actually it was just for test purpose, to make it react just like if it would act on a Windows 7 Home Premium edition.  And on this version, if you set your UAC level to 3, and try to start the registry editor, you will get an UAC prompt.  I've found the registry responsible to disable that, but it just disable it completely... which is not what i'm trying to do at the moment.

@renazonse: it's not an admin... my user "cdebel2005" is just a regular domain user.
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
@MaheshPM: I've managed to get it working, and even with the error message, when i look at the options for UAC, i see exactly what i've set on the server, and under the column "GPO Source", i see "Enable UAC" (the group i've defined for this purpose).

So it seems that the rules are applied properly.  

On the server, i've also went in Group Policy Management under "Group Policy Management/Group Policy Results and picked up the domain computer and the domain user i'm trying to test, and i see that under Computer Configuration Summary and User Configuration Summary, Enable UAC figure under Applied GPOs, so it's ok.

So my problem seems to be only with Registry Editor.  I've tried to change the GPO saying "Prompt for consent for non-Windows binaries" to "Prompt for consent on the secure desktop", and applied the GPupdate, but it doesn't change anything
0
 
Christian de BellefeuilleProgrammerAuthor Commented:
I'll consider this as solved because i get an UAC slider.  I'm not sure why the Reg Editor and other applications as Even Viewers doesn't trigger an UAC Prompt, but that's probably another problem.  Thank you for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 8
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now