none
UAC allows users to install software without admin rights? RRS feed

  • Question

  • Hi Everyone,

    It has come to our attention that our users can in fact install software without an admin account or an admin present. This is done simply by then doing the following:

    The user downloads the app / package.

    User runs install.

    User is presented with UAC.

    User puts their own username and password in presses enter and the software carrys on.

    Surely, UAC should not allow the user to proceed to install software? UAC is all enabled via Group Policy and everything is defined as it should be.

    Not sure why UAC is failing like this? Any suggestions would be greatly appreciated.

    **Just found**
    When a user right clicks on a program and selects "Run as Administrator". Uses their own details it runs happily. Almost as if domain users have admin rights?

    Monday, February 15, 2016 2:52 PM

Answers

  • Hi everyone,

    We appear to have solved our issue. We were focussing our tests on two browsers. Opera and Google Chrome which a lot of our users favour over IE or Firefox. When installing Chrome straight from the official website. It does not install to the traditional Program Files Directories as you'd expect. Instead it downloads and installs to the AppData directory which does not require elevated rights. The users can install anything they want within this area using their own credentials when presented with UAC.

    Downloading the offline install will install Chrome to the traditional install locations. As for Opera that browser does not invoke UAC when being installed. No sure why but clearly installs somewhere that does not require any rights at all. There is also an offline install which may be worth using when installing on machines.


    Saturday, February 20, 2016 1:36 PM

All replies

  • It sounds like your users may somehow be getting local admin rights. Make sure users are not listed as local admins or the account domain users is not in the local administrators group. If they are, I don't think UAC will not stop them from installing, it just prompts them.

    Here is a UAC best practice guide for Windows 7. It should be similar for other OS versions as well. I hope it helps.

    https://technet.microsoft.com/en-us/library/ee679793(v=ws.10).aspx


    Please remember to select Mark as Answer if someone provides the answer or mark as helpful if the response helps to lead you in the right direction.



    Monday, February 15, 2016 3:13 PM
  • Hi LhkingVT,

    I've just checked one of the users machines. The only group in the administrators group is DomainAdmins. Domain users only appear in the users group as should be expected.

    This has got myself and our network manager really confused. 

    Monday, February 15, 2016 3:38 PM
  • Hi ASM2792,

    Did the issue occur with all the machines, specific machines, all the users or all the users?

    Please open a command line and run "gpresult /r /v" to check the security settings of the account.
     
    As an alternative choice, we could use the "AccessCHK" tool to check all rights assigned to the user.
    For example: "Accesschk -a "admin" *"
    AccessChk v6.01
    https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, February 17, 2016 6:12 AM
    Moderator
  • Hi everyone,

    We appear to have solved our issue. We were focussing our tests on two browsers. Opera and Google Chrome which a lot of our users favour over IE or Firefox. When installing Chrome straight from the official website. It does not install to the traditional Program Files Directories as you'd expect. Instead it downloads and installs to the AppData directory which does not require elevated rights. The users can install anything they want within this area using their own credentials when presented with UAC.

    Downloading the offline install will install Chrome to the traditional install locations. As for Opera that browser does not invoke UAC when being installed. No sure why but clearly installs somewhere that does not require any rights at all. There is also an offline install which may be worth using when installing on machines.


    Saturday, February 20, 2016 1:36 PM
  • Yes, this is normal behavior by several applications. Spotify is another one. When you first described the "problem" you didn't specify which apps were getting installed.

    This is why I have implemented Software Restriction Policies with whitelisting. If they can install Chrome, they can install a virus.


    VR// Brian Mc

    Monday, February 22, 2016 4:43 PM