Solved

Windows 8.1 UAC

Posted on 2014-01-13
15
2,080 Views
Last Modified: 2014-01-29
I have been trying to create a UAC & Applocker policy for windows 8.1 and server 2012R2. Applocker seems nice and explanatory select locations and users that allowed to access items in those locations. UAC though is frying my brain as I understand it needs to be on in windows 8 & 8.1 or it causes a ton of issues. Almost all domain users have roaming profiles, are members of a standard user group (not local or domain admins) and access locally installed programs in C:\Program Files & C:\Program Files (x86) and network programs \\server\apps$\ApplicationName\Application.exe. What group policy setting do I need to put in place so users are not prompted for admin credentials when accessing programs in the locations I mentioned? Does this policy have a bearing on scripts and MSIs? If so how can I make sure scripts and MSIs are not held up by the UAC as well? (Scripts are stores in \\Server\Scripts$ and MSIs in \\server\MSI$
0
Comment
Question by:Dead_Eyes
  • 8
  • 5
  • 2
15 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 250 total points
ID: 39776865
As far as I know, there isn't a whitelist location for UAC. UAC is triggered when users attempt to do something that can modify the machine as a whole. For example, installing an application.

Some older applications might trigger a UAC prompt. You can create shims for these.

http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx
0
 

Author Comment

by:Dead_Eyes
ID: 39776906
Thanks will give your suggestion a go as soon as I can get it tested. I have tired compatibility modes for the applications in question would these not have the same effect if its just an application trying to launch?
0
 

Author Comment

by:Dead_Eyes
ID: 39776913
Can you also shed any light on the situation with MSIs and scripts? thanks in advance
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39776976
Compatibility mode wouldn't help you bypass UAC for an application. Creating a shim that fixes the UAC trigger is the best solution.

MSIs will probably always be triggered by UAC because they are changing the entire system. It would be better for you to deploy the MSI to any computer/user needing it.

Scripts are iffy. If you are using them to deploy printers/drive mappings, consider switching to Group Policy Preferences.  Let me know if you need any help with this.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39777602
There are simple facts you need to know:
logon scripts run as users and underlie UAC, while startup scripts run as system and here UAC does not interfere. MSI, when deployed to computer accounts by software deployment GPOs, are not interfered by UAC at all.
Then: if starting programs brings up UAC, this can have several reasons:
-methods used require privileges not held without elevation
-program tries to write to its own folder (or to c:, or to c:\windows or some more)
-program tries to write to registry locations HKU/HKLM/HCR
To mitigate this, you need to analyze what is going on, I recommend to use procmon for this.
0
 

Author Comment

by:Dead_Eyes
ID: 39787959
Thanks for your help so far. I have installed the Application compatibility toolkit on my Machine, Set up a database, ran the application fix selecting run as invoker and ran the command sdbinst \\servername\folder\savedfile.sdb. but still when I go to a machine login as a test user and try to launch the application I get stopped by a UAC prompt. Any idea where I am going wrong?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39787970
The application toolkit does no magic. It can be used successfully with runasinvoker, if the app does indeed NOT need these elevated privileges although it requests them.
In your case, it seems as though the app really needs them. There, we can only ask the manufacturer about what privileges are needed (where does that app try to write to, what regkeys does it try to modify) or find out the same ourselves by means of monitoring (tool: procmon).
0
 

Author Comment

by:Dead_Eyes
ID: 39788087
Damn.....out of curiosity how to other machines on the domain know the application has been modified by the application compatibility toolkit? Do you need to run the toolkit on the server where the application is installed (in my case it was running from a server share and the toolkit was on a management PC)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39790998
The shim file that you produce with the toolkit is not applied to the application but has to be applied to each client's local compatibility database. So to deploy it, a script with the sdbinst-command needs to run anywhere. I deployed one using an MSI wrapper that simply wrapped that script.
0
 

Author Comment

by:Dead_Eyes
ID: 39804810
Hi sorry for the late reply's (working on multiple sites atm). So does the application compatibility toolkit need to be installed on each machine? I tested the app on the computer I installed the toolkit on as a limited user and it runs with no UAC prompt however when I tried on another machine (where I had simply run the sdbinst \\servername\folder\savedfile.sdb command) and it prompted me. So I think the fix works just can't get it out to other machines
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39805816
> does the application compatibility toolkit need to be installed on each machine?
No. Works without. If it doesn't work on one machine, make sure, you executed the command successfully as administrator and elevated (right-click cmd.exe and select "run as administrator", then fire the command). Should work anywhere, please test it on more machines then one.
0
 

Author Comment

by:Dead_Eyes
ID: 39806195
I have some time on site on Monday I will test then, thanks for your help and patience
0
 

Author Comment

by:Dead_Eyes
ID: 39811469
Ok very confusing results so far. I cannot get this program to run from windows 8 start screen however if I just place a shortcut in a common shared drive and ask users to run it from there it works. No clue how that bypasses the UAC but it does and it works but it does. I will run a couple more tests and reward points at the end of the day
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 39811729
Very interesting findings, never heard that before!
Could you name programs that behave like that? (company, product+version, name of the executable)
0
 

Author Comment

by:Dead_Eyes
ID: 39812151
Its a bit of educational freeware called blockCAD (latest version), we have it installed on a mapped drive called P:\ on our apps server. Shortcut on metro and in common is listed as \\server\share$\folder\blockCAD.exe though. screenshot attached
ACT.jpg
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question