none
gpo to enable uac but avoid admin prompt for std. users

    Question

  • Hi 

    I need your help .. 

    all our users are std non admin users.

    we've been 'running' with UAS disabled but now.. with outlook 2013 and some mandatory apps we need in outlook we need UAC enabled (or no apps work).

    but..  by enabling uac many users started getting credential prompt for admin user/pass. 

    I've tried testing the different gpo settings for levels 1-4 to try and find the correct settings but to no avail...

    If I manage to change the gpo so the outlook apps work.. we start gettings credential prompts and vice versa.. if the prompts 'go away' our apps crash.

    Apparently uac MUST be enabled to make outlook (all office?) apps work...

    I've worked both angles..

    1. finding a gpo that enables uac but doesn't prompt std. users for elevation

    2. fixing the outlook apps somehow so they work with uac off..

    nothing gives me the result I am looking for..

    so please og please.. someone push me in the right direction...


    Kindest regards, Martin

    Thursday, March 05, 2015 12:57 PM

Answers

  • > maybe I misunderstand but "silent Deny" sounds like it will deny std.
    > users trying to run an application from the network ?
     
    It will silently deny the UAC prompt without notification to the user.
    IF the user is NOT an administrator and the application manifest has
    requiredprivileges=administrator, this means the application will NOT
    work. If the manifest is requiredprivileges=asinvoker or
    =highestavailable, it will work.
     
    So I'm unsure what your exact requirement is - enable UAC and
    automatically elevate? That's impossible...
     
    > and... which gpo settings do I need to do the "silent deny" you
    > mention...IF it means the opposite of what I think?
     
    Computer config - Policies - Windows Settings - Security Settings -
    Local Policies - Security options: The 10th setting in the list (in
    Server 2008R2).
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, March 05, 2015 2:26 PM

All replies

  • > 1. finding a gpo that enables uac but doesn't prompt std. users for
    > elevation
     
    Configure for "silent deny".
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, March 05, 2015 1:23 PM
  • hi

    maybe I misunderstand but "silent Deny" sounds like it will deny std. users trying to run an application from the network ? 

    and... which gpo settings do I need to do the "silent deny" you mention...IF it means the opposite of what I think?


    Kindest regards, Martin

    Thursday, March 05, 2015 2:19 PM
  • > maybe I misunderstand but "silent Deny" sounds like it will deny std.
    > users trying to run an application from the network ?
     
    It will silently deny the UAC prompt without notification to the user.
    IF the user is NOT an administrator and the application manifest has
    requiredprivileges=administrator, this means the application will NOT
    work. If the manifest is requiredprivileges=asinvoker or
    =highestavailable, it will work.
     
    So I'm unsure what your exact requirement is - enable UAC and
    automatically elevate? That's impossible...
     
    > and... which gpo settings do I need to do the "silent deny" you
    > mention...IF it means the opposite of what I think?
     
    Computer config - Policies - Windows Settings - Security Settings -
    Local Policies - Security options: The 10th setting in the list (in
    Server 2008R2).
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, March 05, 2015 2:26 PM