Hello. I am in the process of adding windows 7 machines to a 2008 domain. I ran into a problem with my drives not mapping via a vbs logon script once I enabled UAC. I found a Microsoft article with a workaround here:
The workaround they suggest works, but right above the workaround is the ominous message:
"Important This workaround may make your system unsafe. Microsoft does not support this workaround. Use this workaround at your own risk."
Even after editing the registry and making this change, I am still being prompted by UAC anytime I try to install a program, change certain network settings, etc (in the GPO setting: computer configuration > windows settings > security settings > security options > User Account Control: Only elevate UIAaccess applications that are installed in secure locations - I changed the setting to disabled, so I get prompted often, which is how I want it).
What exactly does this registry edit do? How does it make Windows 7 less secure? What potential vulnerability does it create?
If this GPO is enabled
=> Applications executed from
- ..\Program Files\ (and subfolders)
- ..\Program Files (x86)\ (and subfolders, in 64-bit versions of Windows only)
can use UIAaccess function.
If this GPO is disabled.
=> applications executed anywhere can use the UIAaccess function
What is UIAaccess function?
This article covers some great information about the UIAaccess.
But try a GPO Preferences to map your drives this is a more easier and secure way.
IM me - TWiTTer: @DFTER
- Proposed as answer by Mr. Bungle Sunday, March 07, 2010 5:21 AM
Thanks, that is what I wanted to know. Unfortunately, GPO Preferences is only available in server editions of Windows and/or when you are working on a domain, right? I'm on Win7 Ultimate x64 and when I type gpme.msc I just get an error. According to this link I need to download a 400Mb installer to get this feature...
There is very little information/documentation regarding this setting (http://support.microsoft.com/kb/937624). But in this discussion (http://channel9.msdn.com/Shows/Going+Deep/UAC-What-How-Why#c633305694960000000) a Microsoft employee says this:
Technically, it opens a small loophole since non-elevated malware can now "pre-seed" a drive letter + mapping into the elevated context -- that should be low-risk unless you end up with something that's specifically tailored to your environment.