UAC and automatic elevation does not work.
Hi all, after browsing the forums for a problem like this I haven't found no answer yet. My company is developing a software which manages a distributed infrastructure and as part of its core features performs remote management of machine with the purpose of: installing remotely a daemon that allows us to perform the management operations. modifying the windows firewall in order to allow the daemon to be reachable. While trying to support Windows 7 as platform we encountered several problems in performing such procedures (especially the first one) because of the UAC. In particular, our needs are the following: creating a folder: Program Files\Company\Product remotely copying our libraries to that location from a network (administrative) connection installing a service that starts the daemon on startup As a requirement we ask to have a user with administrative rights on the machine we want to perform these task. Also, we are aware that network printer and file sharing are turned off by default. The only solution that is working so far to handle this scenario is to activate the file sharing and setting the UAC settings to the notification level: Never notify. I think this is not a very good solution since completely voids the purpose of the UAC. After a little bit of search I bumped into the "User Account Control Step by Step Guide" (http://technet.microsoft.com/en-us/library/cc709691.aspx), which explains to set the UAC by means of the Local Security Policy editor, thus allowing a finer control on the operations controlled by the UAC. In details, I would like to be able to remotely perform these operations in a smooth way. Therefore I created a specific account belonging to the Administrators group and set up the UAC policies as follows: Admin Approval Mode for the Built-in Administrator account: Enabled. Allow UIAccess applications to prompt for elevation without using the secure desktop: Disabled. Behavior elevation prompt for administrators in Admin Approval Mode: Elevate without prompting. Behavior elevation for standard users: Prompt for credentials. Detect application installations and prompt for elevation: Enabled. Only elevate executables that are signed and validated: Disabled. Only elevate UIAccess applications that are installed in secure locations. Run all administrators in Admin Approval Mode: Enabled. Switch to the secure desktop when prompting for elevation: Disabled. Virtualize file and registry write failures to per-user locations: Enabled. I reckon that the policies of interest to allow such behavior are 3 and 8, plus 1 if we use the local built-in administrator account. After setting as enabled 8, we have rebooted the remote machine. Even though, as a result of these settings, the level of the slider in the UAC settings has gone down to "Never notify" I still have problems and more specifically I get an System.IOException "Access denied" for the path I want modify or create. Is there any other way to perform these task smoothly without turning off the UAC? thanks, Christian
January 14th, 2011 1:58am

Admin Approval Mode for the Built-in Administrator account: Enabled. -> this can be set to it's default value (Disabled). It only applies to the built-in Administrator account (which is disabled by default anyway...), not to members of the local "Administrators" group. The settings you describe leave UAC enabled: normal users will still be prompted for credentials to elevate when required. Members of the "Administrators" group won't receive any prompts to elevate, and should elevate when required, if the application is configured correctly. What value does the "requestedExecutionLevel" attribute of your application's manifest have? Try setting that to "requireAdministrator" or "HighestAvailable" You can force elevation by doing this : http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx#BKMK_S2 Here's some more lecture: http://www.codeproject.com/KB/vista-security/MakingAppsUACAware.aspx And you'll certainly find more information on the subject on the MSDN forums.
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 3:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics