none
UAC - Standalone local user vs domain user

    Question

  • Hi,

    I have an application that during first launch runs a regedit /s command to import some registry keys into the user's (HKCU) registry.

    I have discovered if I run the application logged in as a local user (No admin privileges) with a machine that is not joined to the domain, I can launch the application. I can also launch regedit manually with no UAC prompt.

    However if I join the machine to the domain and log in as a domain user (No admin privileges) then the application fails to launch due to a UAC prompt at the regedit /s stage and also trying to open regedit also results in a UAC prompt. Using the standalone local user on a domain joined PC also causes the UAC prompt to appear for both the application and directly launching regedit.

    Is this by design - as in the joining of a PC to the domain changes how UAC works? As a test I have moved both the user and computer in AD to a test GPO which has no GPO's applied except the Default Domain policies which have no UAC settings in them?

    Monday, February 03, 2014 3:05 PM

All replies

  • Local group policy take precedence over domain.

    Group Policy processing and precedence

    http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx

    Previously your uac prompt was not there, may be because you have disabled uac? Or did you run it logged under local admin/built in admin? 

    If uac is not disabled/altered uac prompt should be prompted for all the users except built in administrator.

    http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7


    Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

    Tuesday, February 04, 2014 5:54 AM
  • Hi,

    I have an application that during first launch runs a regedit /s command to import some registry keys into the user's (HKCU) registry.

    I have discovered if I run the application logged in as a local user (No admin privileges) with a machine that is not joined to the domain, I can launch the application. I can also launch regedit manually with no UAC prompt.

    Some applications can be installed without admin just because they are installed to user profile.. Eg chrome browser...

    But not sure you can edit registry without admin privilege .. If it is doing so its a privilege escalation tool


    Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

    Tuesday, February 04, 2014 5:58 AM
  • Hi,

    What about your test's result?

    It can be caused by GPO in domain. What i recommend you to collect two Group Policy results via GPResult command.

    gpresult /z >policy.txt

    One is for computer unjoined to the domain.

    Another is for computer joined to the domain.


    Andy Altmann
    TechNet Community Support

    Tuesday, February 04, 2014 10:13 AM
    Moderator
  • Hi,

    Maybe I should explain a little more...

    UAC is not disabled.

    There are a few differences between the GPResult files but they are only the settings that have been set at the Default Domain Policy level which are nothing to do with UAC.

    Can somebody else simply confirm what I have already seen? Take a machine with a fresh install of Windows 7, log in as a standard user and launch regedit - no UAC prompt

    Join the machine to a domain, login as a domain user with standard privileges and launch regedit - UAC prompt?

    Tuesday, February 04, 2014 11:58 AM