none
Run as Administrator - blocked by Group Policy RRS feed

  • Question

  • Hi,

    in a domain environment we have configured our workstations in a way, that limited user accounts are not bothered with UAC prompts. UAC is required, since otherwise the ActiveX Installer service seems not to work for allowed corporate websites.

    Settings in that policy are as follows:

    User Account Control: Admin Approval Mode for the Built-in Administrator account: Disabled
    User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop: Enabled
    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting
    User Account Control: Behavior of the elevation prompt for standard users: Automatically deny elevation requests
    User Account Control: Detect application installations and prompt for elevation: Enabled
    User Account Control: Only elevate executables that are signed and validated: Disabled
    User Account Control: Only elevate UIAccess applications that are installed in secure locations: Disabled
    User Account Control: Run all administrators in Admin Approval Mode: Enabled
    User Account Control: Switch to the secure desktop when prompting for elevation: Disabled
    User Account Control: Virtualize file and registry write failures to per-user locations: Enabled

    The UAC bar is pulled down to the bottom. Not very nice or secure, but still better, than granting each user Administrator permissions on his machine. Since I have no power to select, which applications have to be installed for corporate use, this is the best compromise which I can reach with management.

    But there are a few very annoying issues with this configuration:

    Programs like regedit or Event Viewer do not open "This program is blocked by Group Policy". Why should these call for administrator permissions on execution? (With PowerShell or invoking runas from an initial cmd prompt I can read all the items, but this is far from being convenient for quick troubleshooting.)

    Right click any application and select "Run as Administrator" - "This program is blocked by Group Policy."

    So is there a way to block automated elevation prompts for standard users, but keep elevation prompts intact for manual interaction?

    Thanks and best greetings from Germany
    Olaf

     


    Tuesday, January 24, 2012 12:35 PM

Answers

  • Hi,

     

    As far as I know, if you select automatically deny elevation requests for standard users, they cannot run any program which requires elevation even with run as administrator option.

     

    Meanwhile, Event Viewer or Regedit are located in system drive which is protected from UAC by default. The standard users even cannot move or copy files to system drive.

     

    I am sorry there is no method to achieve your requirement to customize the behavior of the elevation prompt for standard users. Thanks for your understanding.

     

    Niki

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Niki Han

    TechNet Community Support

    Wednesday, January 25, 2012 10:07 AM
    Moderator
  • At least I figured out, that for known programs a registry key can be set, either by Group Policy preferences or with a .reg file looking as follows:

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
    "C:\\Windows\\System32\\regedt32.exe"="RunAsInvoker"
    "C:\\Windows\\System32\\eventvwr.exe"="RunAsInvoker"
    "C:\\Windows\\System32\\mmc.exe"="RunAsInvoker"
    "C:\\Windows\\System32\\CompMgmtLauncher.exe"="RunAsInvoker"
    "C:\\Windows\\regedit.exe"="RunAsInvoker"
    

     This would allow end users to execute registry editor, computer management (right click on Computer/Manage) and various management consoles.

    Too bad, that there is no selection possibleto fine tune a difference between suppressing automated UAC prompts and allowing UAC prompt if selecting explicitely Run As Administrator.

    Best greetings from Germany
    Olaf

    Friday, January 27, 2012 7:13 AM

All replies

  • Hi,

     

    As far as I know, if you select automatically deny elevation requests for standard users, they cannot run any program which requires elevation even with run as administrator option.

     

    Meanwhile, Event Viewer or Regedit are located in system drive which is protected from UAC by default. The standard users even cannot move or copy files to system drive.

     

    I am sorry there is no method to achieve your requirement to customize the behavior of the elevation prompt for standard users. Thanks for your understanding.

     

    Niki

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Niki Han

    TechNet Community Support

    Wednesday, January 25, 2012 10:07 AM
    Moderator
  • At least I figured out, that for known programs a registry key can be set, either by Group Policy preferences or with a .reg file looking as follows:

    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
    "C:\\Windows\\System32\\regedt32.exe"="RunAsInvoker"
    "C:\\Windows\\System32\\eventvwr.exe"="RunAsInvoker"
    "C:\\Windows\\System32\\mmc.exe"="RunAsInvoker"
    "C:\\Windows\\System32\\CompMgmtLauncher.exe"="RunAsInvoker"
    "C:\\Windows\\regedit.exe"="RunAsInvoker"
    

     This would allow end users to execute registry editor, computer management (right click on Computer/Manage) and various management consoles.

    Too bad, that there is no selection possibleto fine tune a difference between suppressing automated UAC prompts and allowing UAC prompt if selecting explicitely Run As Administrator.

    Best greetings from Germany
    Olaf

    Friday, January 27, 2012 7:13 AM
  • Hi,

     

    At this time, if you don't have further questions, we will mark the post as "Answered" as the previous information is helpful for many similar scenarios.  

     

    BTW,  we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

     

    Niki

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Niki Han

    TechNet Community Support

    Monday, January 30, 2012 1:55 AM
    Moderator