Solved

Windows 8.1 UAC

Posted on 2014-01-13
15
2,069 Views
Last Modified: 2014-01-29
I have been trying to create a UAC & Applocker policy for windows 8.1 and server 2012R2. Applocker seems nice and explanatory select locations and users that allowed to access items in those locations. UAC though is frying my brain as I understand it needs to be on in windows 8 & 8.1 or it causes a ton of issues. Almost all domain users have roaming profiles, are members of a standard user group (not local or domain admins) and access locally installed programs in C:\Program Files & C:\Program Files (x86) and network programs \\server\apps$\ApplicationName\Application.exe. What group policy setting do I need to put in place so users are not prompted for admin credentials when accessing programs in the locations I mentioned? Does this policy have a bearing on scripts and MSIs? If so how can I make sure scripts and MSIs are not held up by the UAC as well? (Scripts are stores in \\Server\Scripts$ and MSIs in \\server\MSI$
0
Comment
Question by:Dead_Eyes
  • 8
  • 5
  • 2
15 Comments
 
LVL 21

Assisted Solution

by:Joseph Moody
Joseph Moody earned 250 total points
Comment Utility
As far as I know, there isn't a whitelist location for UAC. UAC is triggered when users attempt to do something that can modify the machine as a whole. For example, installing an application.

Some older applications might trigger a UAC prompt. You can create shims for these.

http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx
0
 

Author Comment

by:Dead_Eyes
Comment Utility
Thanks will give your suggestion a go as soon as I can get it tested. I have tired compatibility modes for the applications in question would these not have the same effect if its just an application trying to launch?
0
 

Author Comment

by:Dead_Eyes
Comment Utility
Can you also shed any light on the situation with MSIs and scripts? thanks in advance
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Compatibility mode wouldn't help you bypass UAC for an application. Creating a shim that fixes the UAC trigger is the best solution.

MSIs will probably always be triggered by UAC because they are changing the entire system. It would be better for you to deploy the MSI to any computer/user needing it.

Scripts are iffy. If you are using them to deploy printers/drive mappings, consider switching to Group Policy Preferences.  Let me know if you need any help with this.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
There are simple facts you need to know:
logon scripts run as users and underlie UAC, while startup scripts run as system and here UAC does not interfere. MSI, when deployed to computer accounts by software deployment GPOs, are not interfered by UAC at all.
Then: if starting programs brings up UAC, this can have several reasons:
-methods used require privileges not held without elevation
-program tries to write to its own folder (or to c:, or to c:\windows or some more)
-program tries to write to registry locations HKU/HKLM/HCR
To mitigate this, you need to analyze what is going on, I recommend to use procmon for this.
0
 

Author Comment

by:Dead_Eyes
Comment Utility
Thanks for your help so far. I have installed the Application compatibility toolkit on my Machine, Set up a database, ran the application fix selecting run as invoker and ran the command sdbinst \\servername\folder\savedfile.sdb. but still when I go to a machine login as a test user and try to launch the application I get stopped by a UAC prompt. Any idea where I am going wrong?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
The application toolkit does no magic. It can be used successfully with runasinvoker, if the app does indeed NOT need these elevated privileges although it requests them.
In your case, it seems as though the app really needs them. There, we can only ask the manufacturer about what privileges are needed (where does that app try to write to, what regkeys does it try to modify) or find out the same ourselves by means of monitoring (tool: procmon).
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Dead_Eyes
Comment Utility
Damn.....out of curiosity how to other machines on the domain know the application has been modified by the application compatibility toolkit? Do you need to run the toolkit on the server where the application is installed (in my case it was running from a server share and the toolkit was on a management PC)
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
The shim file that you produce with the toolkit is not applied to the application but has to be applied to each client's local compatibility database. So to deploy it, a script with the sdbinst-command needs to run anywhere. I deployed one using an MSI wrapper that simply wrapped that script.
0
 

Author Comment

by:Dead_Eyes
Comment Utility
Hi sorry for the late reply's (working on multiple sites atm). So does the application compatibility toolkit need to be installed on each machine? I tested the app on the computer I installed the toolkit on as a limited user and it runs with no UAC prompt however when I tried on another machine (where I had simply run the sdbinst \\servername\folder\savedfile.sdb command) and it prompted me. So I think the fix works just can't get it out to other machines
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
> does the application compatibility toolkit need to be installed on each machine?
No. Works without. If it doesn't work on one machine, make sure, you executed the command successfully as administrator and elevated (right-click cmd.exe and select "run as administrator", then fire the command). Should work anywhere, please test it on more machines then one.
0
 

Author Comment

by:Dead_Eyes
Comment Utility
I have some time on site on Monday I will test then, thanks for your help and patience
0
 

Author Comment

by:Dead_Eyes
Comment Utility
Ok very confusing results so far. I cannot get this program to run from windows 8 start screen however if I just place a shortcut in a common shared drive and ask users to run it from there it works. No clue how that bypasses the UAC but it does and it works but it does. I will run a couple more tests and reward points at the end of the day
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
Comment Utility
Very interesting findings, never heard that before!
Could you name programs that behave like that? (company, product+version, name of the executable)
0
 

Author Comment

by:Dead_Eyes
Comment Utility
Its a bit of educational freeware called blockCAD (latest version), we have it installed on a mapped drive called P:\ on our apps server. Shortcut on metro and in common is listed as \\server\share$\folder\blockCAD.exe though. screenshot attached
ACT.jpg
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now