Solved

Windows 8.1 UAC

Posted on 2014-01-13
15
2,099 Views
Last Modified: 2014-01-29
I have been trying to create a UAC & Applocker policy for windows 8.1 and server 2012R2. Applocker seems nice and explanatory select locations and users that allowed to access items in those locations. UAC though is frying my brain as I understand it needs to be on in windows 8 & 8.1 or it causes a ton of issues. Almost all domain users have roaming profiles, are members of a standard user group (not local or domain admins) and access locally installed programs in C:\Program Files & C:\Program Files (x86) and network programs \\server\apps$\ApplicationName\Application.exe. What group policy setting do I need to put in place so users are not prompted for admin credentials when accessing programs in the locations I mentioned? Does this policy have a bearing on scripts and MSIs? If so how can I make sure scripts and MSIs are not held up by the UAC as well? (Scripts are stores in \\Server\Scripts$ and MSIs in \\server\MSI$
0
Comment
Question by:Dead_Eyes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
15 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 250 total points
ID: 39776865
As far as I know, there isn't a whitelist location for UAC. UAC is triggered when users attempt to do something that can modify the machine as a whole. For example, installing an application.

Some older applications might trigger a UAC prompt. You can create shims for these.

http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx
0
 

Author Comment

by:Dead_Eyes
ID: 39776906
Thanks will give your suggestion a go as soon as I can get it tested. I have tired compatibility modes for the applications in question would these not have the same effect if its just an application trying to launch?
0
 

Author Comment

by:Dead_Eyes
ID: 39776913
Can you also shed any light on the situation with MSIs and scripts? thanks in advance
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39776976
Compatibility mode wouldn't help you bypass UAC for an application. Creating a shim that fixes the UAC trigger is the best solution.

MSIs will probably always be triggered by UAC because they are changing the entire system. It would be better for you to deploy the MSI to any computer/user needing it.

Scripts are iffy. If you are using them to deploy printers/drive mappings, consider switching to Group Policy Preferences.  Let me know if you need any help with this.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39777602
There are simple facts you need to know:
logon scripts run as users and underlie UAC, while startup scripts run as system and here UAC does not interfere. MSI, when deployed to computer accounts by software deployment GPOs, are not interfered by UAC at all.
Then: if starting programs brings up UAC, this can have several reasons:
-methods used require privileges not held without elevation
-program tries to write to its own folder (or to c:, or to c:\windows or some more)
-program tries to write to registry locations HKU/HKLM/HCR
To mitigate this, you need to analyze what is going on, I recommend to use procmon for this.
0
 

Author Comment

by:Dead_Eyes
ID: 39787959
Thanks for your help so far. I have installed the Application compatibility toolkit on my Machine, Set up a database, ran the application fix selecting run as invoker and ran the command sdbinst \\servername\folder\savedfile.sdb. but still when I go to a machine login as a test user and try to launch the application I get stopped by a UAC prompt. Any idea where I am going wrong?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39787970
The application toolkit does no magic. It can be used successfully with runasinvoker, if the app does indeed NOT need these elevated privileges although it requests them.
In your case, it seems as though the app really needs them. There, we can only ask the manufacturer about what privileges are needed (where does that app try to write to, what regkeys does it try to modify) or find out the same ourselves by means of monitoring (tool: procmon).
0
 

Author Comment

by:Dead_Eyes
ID: 39788087
Damn.....out of curiosity how to other machines on the domain know the application has been modified by the application compatibility toolkit? Do you need to run the toolkit on the server where the application is installed (in my case it was running from a server share and the toolkit was on a management PC)
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39790998
The shim file that you produce with the toolkit is not applied to the application but has to be applied to each client's local compatibility database. So to deploy it, a script with the sdbinst-command needs to run anywhere. I deployed one using an MSI wrapper that simply wrapped that script.
0
 

Author Comment

by:Dead_Eyes
ID: 39804810
Hi sorry for the late reply's (working on multiple sites atm). So does the application compatibility toolkit need to be installed on each machine? I tested the app on the computer I installed the toolkit on as a limited user and it runs with no UAC prompt however when I tried on another machine (where I had simply run the sdbinst \\servername\folder\savedfile.sdb command) and it prompted me. So I think the fix works just can't get it out to other machines
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39805816
> does the application compatibility toolkit need to be installed on each machine?
No. Works without. If it doesn't work on one machine, make sure, you executed the command successfully as administrator and elevated (right-click cmd.exe and select "run as administrator", then fire the command). Should work anywhere, please test it on more machines then one.
0
 

Author Comment

by:Dead_Eyes
ID: 39806195
I have some time on site on Monday I will test then, thanks for your help and patience
0
 

Author Comment

by:Dead_Eyes
ID: 39811469
Ok very confusing results so far. I cannot get this program to run from windows 8 start screen however if I just place a shortcut in a common shared drive and ask users to run it from there it works. No clue how that bypasses the UAC but it does and it works but it does. I will run a couple more tests and reward points at the end of the day
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 39811729
Very interesting findings, never heard that before!
Could you name programs that behave like that? (company, product+version, name of the executable)
0
 

Author Comment

by:Dead_Eyes
ID: 39812151
Its a bit of educational freeware called blockCAD (latest version), we have it installed on a mapped drive called P:\ on our apps server. Shortcut on metro and in common is listed as \\server\share$\folder\blockCAD.exe though. screenshot attached
ACT.jpg
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question