How Administering ActiveX add-on for Trusted Web Site with UAC On
Hello, my client deploy Windows 7 in a worldwide Environment, and he want secure the new workstation. To do that we have activated and configuring these Features: Windows Firewall UAC Deny User to be PC’ local administrator And now we want managing the installation of active X from public Web site would be trusted by the company. To do that, I’m use the how to “Administering the ActiveX Installer Service in Windows 7 ” from technet, http://technet.microsoft.com/en-us/library/dd631688%28WS.10%29.aspx In 1 GPO I have configured, the policy “Configuring the ActiveX installation policy for the Trusted sites zone ” with the following controls : - ActiveX controls signed by a trusted publisher : Silently Install Signed ActiveX controls : Silently Install Unsigned ActiveX controls: Prompt the User. And permit (for test) Unknown CA, Invalid CN or Expired or Wrong Certificate Usage Then, I have enabled the Security Zones: Use only machine setting with the Site to Zone Assignment List where I set my public web site that I trust to be recorded inside the trusted sites zone in IE. From One Laptop I’m open session with standard user credential, check IE Setting and configure the security level for the Trusted Zone to Low. Then, I’m trying to connect to my web site to check the ActiveX auto Install process, and I get UAC pop-up , “IE Add-on Installer ” with clsid {BDB57FF2-79B9-4205-9447-F5FE85F37312} who want admin credentials. I’m trying the Approved Installation Sites for ActiveX Controls policy too, but I get the same behavior . For example, I’m trying with adobe.com web site, where the certificate is valid and signed. I don’t find how to allow the silently auto install of the active X for standard User , so someone can help him to get the good procedure or a workaround. Thank You Spice
March 8th, 2010 1:52pm

Hi, If you would like to install ActiveX Control for Standard user, you should login on the machine with administrator privilege and make sure the following settings are correct. 1. The "Approved Installation Sites for ActiveX Controls" policy and "Configuring the ActiveX installation policy for the Trusted sites zone" policy are enabled. 2. Add the trusted websites to "Trusted sites" in Internet Options. 3. Add the trusted websites and assign the value "2" to "Approved Installation Sites for ActiveX Controls" policy. Then, please login on the machine with Standard user to check the result. Thanks, Novak
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2010 11:19am

Hi Novak, I get the same behavior : "Windows Hardware Driver Verification" Pop-up appears with with clsid {BDB57FF2-79B9-4205-9447-F5FE85F37312} and request Adminitrator privilege credentials.I checked the policy with the rsop.msc command and validate all items of your "how to"Any other idea ?I'm trying with the Adobe Flash player Add-on.May be, because it's a program, i need administrator credentials to install it on the OS from a standard user session ?Thank You for your helpSpice
March 10th, 2010 4:12pm

Hi, When does the "Windows Hardware Driver Verification" Pop-up occur? Does it occur when accessing a website or certain application? At this stage, I suggest you try to install Adobe Flash Player when login on the system with Standard user for a test. If the issue persists, please help to collect the screenshot and upload it for research. Thanks, Novak
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2010 5:10am

Hi Novak, sorry for the delay but i was out of office during the last 2 week. The pop-up occur, the first time on access to the web site, and active X need is need. You can see a screenshot here : http://cid-dba4ff65d9dfb0ed.skydrive.live.com/self.aspx/.Public/ActiveX/IMAG0326.jpg May be, activeX headers not contains argument to instruct that the add-on must be installed on users mode ? Thanks. Spice
March 23rd, 2010 12:18pm

Hello, Do you have some news for him ? Thank You
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2010 11:33am

I see exactly the same behavior - all settings done on the OU level for the Windows 7 computers. Logging in as limited user brings up the mentioned dialog field prompting for Administrator permissions (also for various ActiveX controls from software distributed already via AD Group policy - i.e. Java 6.17), if UAC is enabled. But my own problem here goes deeper - we are required to disable all UAC prompts. Does this mean, ActiveX Installer Service does not work as well? At least this seems to be the behavior seen here, although I nerver could find this documented. So I currently see either dozens of useless prompts or the corporate application not working for limited users without Admin interception. Best greetings from Germany Olaf
May 27th, 2010 1:20pm

I get the same thing too. I have added my sites to Approved Installation Sites for ActiveX Controls, when logged in as a standard user and go to the site where the activeX controls should install without notification I get the UAC prompt. Is there any way around it? Anyone found a solution? RSOP confirms that the policy is applying correctly. Edit: some more info http://imageshack.us/photo/my-images/703/errorvq.png/ This is a screenshot confirming the RSOP and in the event viewer that the site is being rejected with a 4097 error saying the site is not listed in the policy...which it is, hence the UAC prompt. This one has be stumped. Have checked the policy for any typos or spaces, it all looks correct. Not sure why it is not recognizing it. ok.. My answer: Got it working, should have read a little bit more. The value I had originally listed for the site as incorrect 2,2,2,2 The third value can only be 1 or 0, the fourth value I believe the same. I changed it to 2,2,1,0 and it all works ok. Russo
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 5:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics