Solved

Windows 8.1 UAC

Posted on 2014-01-13
15
2,073 Views
Last Modified: 2014-01-29
I have been trying to create a UAC & Applocker policy for windows 8.1 and server 2012R2. Applocker seems nice and explanatory select locations and users that allowed to access items in those locations. UAC though is frying my brain as I understand it needs to be on in windows 8 & 8.1 or it causes a ton of issues. Almost all domain users have roaming profiles, are members of a standard user group (not local or domain admins) and access locally installed programs in C:\Program Files & C:\Program Files (x86) and network programs \\server\apps$\ApplicationName\Application.exe. What group policy setting do I need to put in place so users are not prompted for admin credentials when accessing programs in the locations I mentioned? Does this policy have a bearing on scripts and MSIs? If so how can I make sure scripts and MSIs are not held up by the UAC as well? (Scripts are stores in \\Server\Scripts$ and MSIs in \\server\MSI$
0
Comment
Question by:Dead_Eyes
  • 8
  • 5
  • 2
15 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 250 total points
ID: 39776865
As far as I know, there isn't a whitelist location for UAC. UAC is triggered when users attempt to do something that can modify the machine as a whole. For example, installing an application.

Some older applications might trigger a UAC prompt. You can create shims for these.

http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx
0
 

Author Comment

by:Dead_Eyes
ID: 39776906
Thanks will give your suggestion a go as soon as I can get it tested. I have tired compatibility modes for the applications in question would these not have the same effect if its just an application trying to launch?
0
 

Author Comment

by:Dead_Eyes
ID: 39776913
Can you also shed any light on the situation with MSIs and scripts? thanks in advance
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39776976
Compatibility mode wouldn't help you bypass UAC for an application. Creating a shim that fixes the UAC trigger is the best solution.

MSIs will probably always be triggered by UAC because they are changing the entire system. It would be better for you to deploy the MSI to any computer/user needing it.

Scripts are iffy. If you are using them to deploy printers/drive mappings, consider switching to Group Policy Preferences.  Let me know if you need any help with this.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39777602
There are simple facts you need to know:
logon scripts run as users and underlie UAC, while startup scripts run as system and here UAC does not interfere. MSI, when deployed to computer accounts by software deployment GPOs, are not interfered by UAC at all.
Then: if starting programs brings up UAC, this can have several reasons:
-methods used require privileges not held without elevation
-program tries to write to its own folder (or to c:, or to c:\windows or some more)
-program tries to write to registry locations HKU/HKLM/HCR
To mitigate this, you need to analyze what is going on, I recommend to use procmon for this.
0
 

Author Comment

by:Dead_Eyes
ID: 39787959
Thanks for your help so far. I have installed the Application compatibility toolkit on my Machine, Set up a database, ran the application fix selecting run as invoker and ran the command sdbinst \\servername\folder\savedfile.sdb. but still when I go to a machine login as a test user and try to launch the application I get stopped by a UAC prompt. Any idea where I am going wrong?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39787970
The application toolkit does no magic. It can be used successfully with runasinvoker, if the app does indeed NOT need these elevated privileges although it requests them.
In your case, it seems as though the app really needs them. There, we can only ask the manufacturer about what privileges are needed (where does that app try to write to, what regkeys does it try to modify) or find out the same ourselves by means of monitoring (tool: procmon).
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Dead_Eyes
ID: 39788087
Damn.....out of curiosity how to other machines on the domain know the application has been modified by the application compatibility toolkit? Do you need to run the toolkit on the server where the application is installed (in my case it was running from a server share and the toolkit was on a management PC)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39790998
The shim file that you produce with the toolkit is not applied to the application but has to be applied to each client's local compatibility database. So to deploy it, a script with the sdbinst-command needs to run anywhere. I deployed one using an MSI wrapper that simply wrapped that script.
0
 

Author Comment

by:Dead_Eyes
ID: 39804810
Hi sorry for the late reply's (working on multiple sites atm). So does the application compatibility toolkit need to be installed on each machine? I tested the app on the computer I installed the toolkit on as a limited user and it runs with no UAC prompt however when I tried on another machine (where I had simply run the sdbinst \\servername\folder\savedfile.sdb command) and it prompted me. So I think the fix works just can't get it out to other machines
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39805816
> does the application compatibility toolkit need to be installed on each machine?
No. Works without. If it doesn't work on one machine, make sure, you executed the command successfully as administrator and elevated (right-click cmd.exe and select "run as administrator", then fire the command). Should work anywhere, please test it on more machines then one.
0
 

Author Comment

by:Dead_Eyes
ID: 39806195
I have some time on site on Monday I will test then, thanks for your help and patience
0
 

Author Comment

by:Dead_Eyes
ID: 39811469
Ok very confusing results so far. I cannot get this program to run from windows 8 start screen however if I just place a shortcut in a common shared drive and ask users to run it from there it works. No clue how that bypasses the UAC but it does and it works but it does. I will run a couple more tests and reward points at the end of the day
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 39811729
Very interesting findings, never heard that before!
Could you name programs that behave like that? (company, product+version, name of the executable)
0
 

Author Comment

by:Dead_Eyes
ID: 39812151
Its a bit of educational freeware called blockCAD (latest version), we have it installed on a mapped drive called P:\ on our apps server. Shortcut on metro and in common is listed as \\server\share$\folder\blockCAD.exe though. screenshot attached
ACT.jpg
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
A procedure for exporting installed hotfix details of remote computers using powershell
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now