ajdratch
asked on
UAC Prompt when UAC is turned off
I have a Windows 2008 R2 Terminal Server. We have a new program that prompts users for administrator credentials every time they open it. "do you want to allow the following program from an unknown publisher"
I turned UAC off and rebooted and this prompt still comes up. Obviously I don't want to give them an administrator password.
The software was written by a large company so I am not sure why they are unknown.
I need to find a way to stop users from being prompted
I turned UAC off and rebooted and this prompt still comes up. Obviously I don't want to give them an administrator password.
The software was written by a large company so I am not sure why they are unknown.
I need to find a way to stop users from being prompted
ASKER
There has to be a way to stop that prompt. I can't call up the company and ask for a certificate. Microsoft has to have provided a better solution than for me to give administrator passwords to all users or make them all administrators on the terminal server
I'm sorry? But why cant you call up the company and ask for the cert?
They'll have one specifically for that app.
Against better judgement (Because it affects all files with these extensions listed) - create a new GPO applied to users OU:
User Configuration / Administrative Templates / Windows Components / Attachment Manager
2. On the right pane, double click Inclusion list for low file types.
3. Click Enable.
4. Include the file types such as .exe;.bat;.reg;.vbs in the Options box.
5. Click OK.
They'll have one specifically for that app.
Against better judgement (Because it affects all files with these extensions listed) - create a new GPO applied to users OU:
User Configuration / Administrative Templates / Windows Components / Attachment Manager
2. On the right pane, double click Inclusion list for low file types.
3. Click Enable.
4. Include the file types such as .exe;.bat;.reg;.vbs in the Options box.
5. Click OK.
Alternatively I found these options as well...
To fix the problem first change the group policy on the server then add the mapped drives into the security zone.
Change Group Policy
Run gpedit.msc on the terminal server
Locate the setting Computer Configuration, Administrative Templates, Internet Explorer, Security Zones: Use only machine settings, and set the option to “Enabled”
Note – this will make the IE zone settings the same for all users on the computer
Add UNC paths to Security Zone
Log in as an administrator on the terminal server
Click Start → Run → and type inetcpl.cpl
On the Security tab highlight Local intranet and click Sites
Make sure the Automatically detect intranet network is unchecked
Make sure Include all network paths (UNCs) is checked
Click Advanced
In the Add this website to the zone box, one at a time type every letter from f: through z: and click add. If the drive is mapped it will add in a UNC in the pattern file://VOLUME_NAME
When you are done close out and save your changes.
To fix the problem first change the group policy on the server then add the mapped drives into the security zone.
Change Group Policy
Run gpedit.msc on the terminal server
Locate the setting Computer Configuration, Administrative Templates, Internet Explorer, Security Zones: Use only machine settings, and set the option to “Enabled”
Note – this will make the IE zone settings the same for all users on the computer
Add UNC paths to Security Zone
Log in as an administrator on the terminal server
Click Start → Run → and type inetcpl.cpl
On the Security tab highlight Local intranet and click Sites
Make sure the Automatically detect intranet network is unchecked
Make sure Include all network paths (UNCs) is checked
Click Advanced
In the Add this website to the zone box, one at a time type every letter from f: through z: and click add. If the drive is mapped it will add in a UNC in the pattern file://VOLUME_NAME
When you are done close out and save your changes.
ASKER
I tried inclusion list for low file types but I still get a prompt. This would be a bad solution even if it worked because I allowing all exe files to execute.
I had seen the internet explorer solution but this is a local program. It is in c:\program files\...
The company is lexis nexus and I would have no way of getting through to anyone that could help unless I spent days on the phone
I had seen the internet explorer solution but this is a local program. It is in c:\program files\...
The company is lexis nexus and I would have no way of getting through to anyone that could help unless I spent days on the phone
ASKER
also meant to add that the shortcut has the shield on the bottom right that makes it look like UAC is on.
Oh Wait, I am being Daft here...
Right click the executable, go to "Digital Signatures", select the certificate and click "Details", then select "View Certificate".
When you have the Cert open click "install Certificate" and import it to the Local Machine > Trusted Publishers store.
Right click the executable, go to "Digital Signatures", select the certificate and click "Details", then select "View Certificate".
When you have the Cert open click "install Certificate" and import it to the Local Machine > Trusted Publishers store.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That fixed it. The EXE did not have an option for digital signature. I hate that I have to turn UAC off on a terminal server but since the other option MS gave me is to give everyone the administrator password, I have no choice
Turning UAC off won't stop the system from warning about untrusted software.