UAC elevated prompt not appearing - on one computer only
Help, I have one computer a new Windows 7 sp1 enterprise install that is not displaying UAC elevated prompt. All the other computers on my network prompts standard and admin users for elevated credentials when running a program marked as elevated
only or when selecting the runas administrator option. This is how I install programs within my network. For some reason on this computer both when logged in as a domain admin or when logged in as a standard user, the elevated prompt does not come
up. If I select a program and choose run as administrator, the program tries to run and then fails due to lack of permission. This is true regardless of who I am logged in as. What could be causing this. And how do I fix it.
I am ready to start over and re-install, but I want to be sure I don't come full circle and end up with this issue again.
Please advise (it is very frustrating)
Note: I have checked and it does not look like any unique GP are applied to the users or computer.Fred Zilz
April 17th, 2012 8:22pm
Make sure computer is not in the default "Computers" container. If it is move it to appropriate OU.
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 12:55am
The computer is not in the default Computers OU, but I am curious as to why you mention this. What about the default OU might impact what I am seeing for this computer. Fred Zilz
April 18th, 2012 1:29am
This line is what made me anwser with that direction.
Note: I have checked and it does not look like any unique GP are applied to the users or computer.
The default "Computers" is a conatiner not an OU.
If you are using GPOs to manage your computers, they can not be in the "Computers" container. While the computer is in this location no GPO will be able to apply to it. GPOs can not be linked to "Computers" container.
So if you are using GPOs to set UAC behaviour then while the computer is in "Computers" conatiner you will not be able to set it via GPO. However you should be able to set it manually.
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 1:48am
Hi,
Have you confirmed UAC function is enabled on the computer? If so, please check the related registry.
You can refer to: UAC Group Policy Settings and Registry Key Settings
http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
Meanwhile, to avoid any third party software confliction, please perform
clean boot to check the result.
Niki
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
here Niki Han
TechNet Community Support
April 18th, 2012 4:06am
Brano - I understand your logic now, Thank you. And yes the computer is in an OU and not in the default computers container.
Niki - I will confirm status of UAC and Registry settings and report back. It is so strange. I install Win7 on similar harware on a regular basis. I can not figur out what is different. The only thing new on my network is SCCM 2012
(used SCCM 2007 up until last week). I guess it is possible, that I have some policy from System Center being applied, but I have not seen this behavior on any of the other computers that have the SCCM 2012 client and endpoing protection installed.Fred Zilz
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 12:23pm
Check this link out, you can even grab the settings from working machine export and then import on none working machine.
http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
Registry key settings
The registry keys are found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. For information about each of the registry keys, see the associated Group Policy description.
Registry Key
Group Policy setting
Registry settings
FilterAdministratorToken
User Account Control: Admin Approval Mode for the built-in Administrator account
0 (Default) = Disabled
1 = Enabled
EnableUIADesktopToggle
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
0 (Default) = Disabled
1 = Enabled
ConsentPromptBehaviorAdmin
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries
ConsentPromptBehaviorUser
User Account Control: Behavior of the elevation prompt for standard users
0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials on the secure desktop
EnableInstallerDetection
User Account Control: Detect application installations and prompt for elevation
1 = Enabled (default for home)
0 = Disabled (default for enterprise)
ValidateAdminCodeSignatures
User Account Control: Only elevate executables that are signed and validated
0 (Default) = Disabled
1 = Enabled
EnableSecureUIAPaths
User Account Control: Only elevate UIAccess applications that are installed in secure locations
0 = Disabled
1 (Default) = Enabled
EnableLUA
User Account Control: Run all administrators in Admin Approval Mode
0 = Disabled
1 (Default) = Enabled
PromptOnSecureDesktop
User Account Control: Switch to the secure desktop when prompting for elevation
0 = Disabled
1 (Default) = Enabled
EnableVirtualization
User Account Control: Virtualize file and registry write failures to per-user locations
0 = Disabled
1 (Default) = Enabled
April 18th, 2012 12:46pm
It turns out that the UAC was set to do not prompt - OFF. I am not sure how it was set to that. In fact a checked my next client install and it has it set at the default settings which is turned on. Very strange.
Thank you for pointing me in the right direction on this. I was looking through GPreusults and looking for how securedesktop or the prompt for credentials could be blocked and not look at the obvious - is UAC on.
Fred Zilz
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 2:03pm