Software UAC Install issue.
Here is my issue. I work for a large corporation. We set all users as standard users. At no point are they given admin rights, all admin functions are done by someone from IT when nessesary. This policy will not change. There is a specific piece of software that is used by many users here. Now, it takes admin rights to install it, that's fine. But, every 6 months, an update disk is realeased. This is a dvd that is passed out by hand to the users from thier manager. This disk doesn't actually install any programs, it just updates already existing data files. On windows XP, this wasn't a problem. It was just a patch, no admin rights needed. On Windows 7, well, UAC sees something named "setup.exe" and freaks out, demanding admin rights. This is a problem. I've tried using shims, didn't work, program still demanded admin rights right at the start. Scheduled tasks are not an option, it is a messy solution that is unacceptable in a corporate enviroment. We cannot redesign that application, as it is developed by a third party. We cannot ask them to redesign it, as that would both be absurd, and also very very very expensive. So, I want to know what Microsoft's official solution is, to allowing disc-based patch installs in a corporate enviroment in windows 7.
August 29th, 2011 7:39pm

Hello, On Windows 7, well, UAC sees something named "setup.exe" and freaks out, demanding admin rights. This is a problem. as it is an exe file, privileges elevation is required so that is perfectly normal: An admin account is required to install the patch. You can try repackaging the application using Install Shield or Symantec Wise and then deploy it as a software using AD group policies or a deployment solution like Symantec Altiris. <hr style="border-top-style: solid; border-right-style: none; border-bottom-style: none; border-left-style: none%
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 8:38pm

The problem is that this software is provided to us as is. Repackaging it is not an option. The convienence is that the vender sends the patch disks directly to the user (to clarify, this software is meant for managing a parts inventory, and every 6 months a disk, custom tailored to our company's new product lines, and therefore new parts to inventory, is released). Under XP. This was no issue at all. The disk could run its install with standard user rights, and no issues would be encountered. Even if we could deploy it over the network, I'm not entirely sure that the license would allow us to.
August 29th, 2011 10:06pm

Then make the user a local admin and disable UAC if it is needed to install the patch. Once done, enable it again. I don't see another option. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 10:12pm

And thats precisely the option we want to avoid. We may end up just opting to leave the systems running that program on XP. Or, we'll just install them door to door. Shall be very tedious. But suppose thats what happens when microsoft decides to leave out an obvious features (ability to have conditional admin privleges, or an exception list for UAC).
August 29th, 2011 11:22pm

Hi, Also, if the SCCM have already been deployed in your environment, you may deploy this patch via SCCM. Thanks for understanding.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 12:20pm

Hi, Also, if the SCCM have already been deployed in your environment, you may deploy this patch via SCCM. Thanks for understanding. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” I'm aware of this software as a possible solution. The only issue I have is I cannot find even an extremely rough estimate for the pricing of such software in an extremely large enviroment (ex, if licensing is based on number of domain controllers, we have 11). The licensing guides for SCCM offer only a URL for exact pricing information, and this URL simply redirects back to the licensing guides. I can't even consider proposing such a solution without more information about it, which appears to be unavailable.
August 31st, 2011 6:40pm

Hi, Based on my experience, this is the easiest way to deploy this patch. If you do not have SCCM, please try the workaround in the link below. http://www.techrepublic.com/blog/window-on-windows/run-uac-restricted-programs-without-the-uac-prompt/730 Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 8:46am

Hi, Based on my experience, this is the easiest way to deploy this patch. If you do not have SCCM, please try the workaround in the link below. http://www.techrepublic.com/blog/window-on-windows/run-uac-restricted-programs-without-the-uac-prompt/730 Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” I have attempted this fix, it simply does not work. I cannot use SCCM because the patch is released on a disk, and has to be installed from said disk. Task scheduler does indeed allow an installer to be launched under a different username, but it launches it under a different session as well. The interactive installer does not show up on the active session, and is therefore of little use to the end user. An .msi file set up to automate it might fail if the vender chooses to change the installer prompts even slightly on the next patch, and also causes the user to have no idea when the installer finishes (its a very large patch, simply saying "oh just give it 15 minutes" doesn't cut it). I even attempted to set up task scheduler to run an instance of "psexec.exe" from Mark's bag of tricks (thus allowing me to hand-pick which session the interactive installer shows up in), but then task scheduler starts flipping out and suddenly, standard users get an "access denied" message when trying to run the task. What annoys me, is not the fact that UAC wants to lock down on software installs. Thats a good thing, I like that. What annoys me, is this install DID NOT require admin rights on XP. It is NOT a software install. The patch does two things. It updates a couple of data package files (yes, I tried changing the install location to somewhere with looser ACLs, it didn't work), and updates a reg entry or two to saying something like "CurrentVersion=090111". It is a mission-critical, low security patch.
September 6th, 2011 8:16pm

Ok. I've calmed down a bit. So, I looked into more material, and found a lovely bit that interests me very very very much. A little msdn bit titled "Installing a Package with Elevated Privleges for a Non-Admin" I am HIGHLY interested in this. I especially like the part in the "Using Windows Installer with UAC". It mentions that via group policy, applications can get labeled as "managed" in the HKLM hive. If they are marked as managed, and it has been assigned or published, a standard user can run it without prompting. It boggles my mind that no one has mentioned this. Rather does boggle it quite so. Now, I'm not entirely sure how it works per se, but it looks to me, with a bit of cleverness, the application can be marked as managed, and the users can install freely. If anyone has any info on this, it would be very very much appreciated.
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 9:26pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics