• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2141
  • Last Modified:

Windows 8.1 UAC

I have been trying to create a UAC & Applocker policy for windows 8.1 and server 2012R2. Applocker seems nice and explanatory select locations and users that allowed to access items in those locations. UAC though is frying my brain as I understand it needs to be on in windows 8 & 8.1 or it causes a ton of issues. Almost all domain users have roaming profiles, are members of a standard user group (not local or domain admins) and access locally installed programs in C:\Program Files & C:\Program Files (x86) and network programs \\server\apps$\ApplicationName\Application.exe. What group policy setting do I need to put in place so users are not prompted for admin credentials when accessing programs in the locations I mentioned? Does this policy have a bearing on scripts and MSIs? If so how can I make sure scripts and MSIs are not held up by the UAC as well? (Scripts are stores in \\Server\Scripts$ and MSIs in \\server\MSI$
0
Dead_Eyes
Asked:
Dead_Eyes
  • 8
  • 5
  • 2
2 Solutions
 
Joseph MoodyBlogger and wearer of all hats.Commented:
As far as I know, there isn't a whitelist location for UAC. UAC is triggered when users attempt to do something that can modify the machine as a whole. For example, installing an application.

Some older applications might trigger a UAC prompt. You can create shims for these.

http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx
0
 
Dead_EyesAuthor Commented:
Thanks will give your suggestion a go as soon as I can get it tested. I have tired compatibility modes for the applications in question would these not have the same effect if its just an application trying to launch?
0
 
Dead_EyesAuthor Commented:
Can you also shed any light on the situation with MSIs and scripts? thanks in advance
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Joseph MoodyBlogger and wearer of all hats.Commented:
Compatibility mode wouldn't help you bypass UAC for an application. Creating a shim that fixes the UAC trigger is the best solution.

MSIs will probably always be triggered by UAC because they are changing the entire system. It would be better for you to deploy the MSI to any computer/user needing it.

Scripts are iffy. If you are using them to deploy printers/drive mappings, consider switching to Group Policy Preferences.  Let me know if you need any help with this.
0
 
McKnifeCommented:
There are simple facts you need to know:
logon scripts run as users and underlie UAC, while startup scripts run as system and here UAC does not interfere. MSI, when deployed to computer accounts by software deployment GPOs, are not interfered by UAC at all.
Then: if starting programs brings up UAC, this can have several reasons:
-methods used require privileges not held without elevation
-program tries to write to its own folder (or to c:, or to c:\windows or some more)
-program tries to write to registry locations HKU/HKLM/HCR
To mitigate this, you need to analyze what is going on, I recommend to use procmon for this.
0
 
Dead_EyesAuthor Commented:
Thanks for your help so far. I have installed the Application compatibility toolkit on my Machine, Set up a database, ran the application fix selecting run as invoker and ran the command sdbinst \\servername\folder\savedfile.sdb. but still when I go to a machine login as a test user and try to launch the application I get stopped by a UAC prompt. Any idea where I am going wrong?
0
 
McKnifeCommented:
The application toolkit does no magic. It can be used successfully with runasinvoker, if the app does indeed NOT need these elevated privileges although it requests them.
In your case, it seems as though the app really needs them. There, we can only ask the manufacturer about what privileges are needed (where does that app try to write to, what regkeys does it try to modify) or find out the same ourselves by means of monitoring (tool: procmon).
0
 
Dead_EyesAuthor Commented:
Damn.....out of curiosity how to other machines on the domain know the application has been modified by the application compatibility toolkit? Do you need to run the toolkit on the server where the application is installed (in my case it was running from a server share and the toolkit was on a management PC)
0
 
McKnifeCommented:
The shim file that you produce with the toolkit is not applied to the application but has to be applied to each client's local compatibility database. So to deploy it, a script with the sdbinst-command needs to run anywhere. I deployed one using an MSI wrapper that simply wrapped that script.
0
 
Dead_EyesAuthor Commented:
Hi sorry for the late reply's (working on multiple sites atm). So does the application compatibility toolkit need to be installed on each machine? I tested the app on the computer I installed the toolkit on as a limited user and it runs with no UAC prompt however when I tried on another machine (where I had simply run the sdbinst \\servername\folder\savedfile.sdb command) and it prompted me. So I think the fix works just can't get it out to other machines
0
 
McKnifeCommented:
> does the application compatibility toolkit need to be installed on each machine?
No. Works without. If it doesn't work on one machine, make sure, you executed the command successfully as administrator and elevated (right-click cmd.exe and select "run as administrator", then fire the command). Should work anywhere, please test it on more machines then one.
0
 
Dead_EyesAuthor Commented:
I have some time on site on Monday I will test then, thanks for your help and patience
0
 
Dead_EyesAuthor Commented:
Ok very confusing results so far. I cannot get this program to run from windows 8 start screen however if I just place a shortcut in a common shared drive and ask users to run it from there it works. No clue how that bypasses the UAC but it does and it works but it does. I will run a couple more tests and reward points at the end of the day
0
 
McKnifeCommented:
Very interesting findings, never heard that before!
Could you name programs that behave like that? (company, product+version, name of the executable)
0
 
Dead_EyesAuthor Commented:
Its a bit of educational freeware called blockCAD (latest version), we have it installed on a mapped drive called P:\ on our apps server. Shortcut on metro and in common is listed as \\server\share$\folder\blockCAD.exe though. screenshot attached
ACT.jpg
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now