Windows 7/ UAC / Active Setup
My company is getting ready to make the transition from Windows XP (primarily x86) to Windows 7 x64. I've done some experiments with packaging and deploying via SCCM, and one thing I've discovered is that UAC prompts for credentials when I attempt an Active Setup solution--for example, getting registry values into HKCU.
I'm trying to get a sense of the best way to handle this, and based on what I've read in the forums here, it sounds like the best approach, at least for a corporate environment where we have desktops locked down and admin rights given to a select group, is to either completely turn off UAC, or limit its functionality with Group Policy. Does that sound right, or would there be a better approach?
I'm trying to get a sense of the best way to handle this, and based on what I've read in the forums here, it sounds like the best approach, at least for a corporate environment where we have desktops locked down and admin rights given to a select group, is to either completely turn off UAC, or limit its functionality with Group Policy. Does that sound right, or would there be a better approach?
0 Comments
[ + ] Show comments
Answers (8)
Please log in to answer
Posted by:
Aivars_s
12 years ago
If you use InstallShield you can set "Require Administrative Privileges" to "NO" (it's in Summary Information Stream section) for MSI's so it will allow limited user repairs and active setups. Users will still not be able to uninstall, change files or proceed with any sort of bold moves.
Posted by:
Twyan
12 years ago
Naturally, every environment is different. However given your scenario is very similar to what we have almost completed here, we opted for limiting UAC functionality with Group Policy rather than completely turning it off.
Posted by:
jmaclaurin
12 years ago
With users limited to User level, a properly secured network, firewall, antivirus solution, trained and knowledgeable support staff, etc... you don't need UAC. It does nothing for OS security but blameshift from Microsoft's failure to properly fix the OS. If UAC were an actual fix, then why give the option to disable it?
Having said that, you should try to limit your Active Setups to write only to areas in the user's profiles and locations that they can write to without issue. It sounds like that is what you are attempting, but user's should have the ability to write to HKCU natively. If you are having issue, I would suggest you test your install on a base Win7 install straight from the CD,workgrouped, un-networked, no antivirus, no patches, no apps, etc and work from there.
Having said that, you should try to limit your Active Setups to write only to areas in the user's profiles and locations that they can write to without issue. It sounds like that is what you are attempting, but user's should have the ability to write to HKCU natively. If you are having issue, I would suggest you test your install on a base Win7 install straight from the CD,workgrouped, un-networked, no antivirus, no patches, no apps, etc and work from there.
Posted by:
Matias M Andersen
12 years ago
Indeed that sounds odd. Are you sure Active Setup has been implemented correctly?
As for controlling UAC, I would suggest you take a peek at "Microsoft Application Compatibility Toolkit". With this tool in hand you can decide what installers/applications should be allowed to bypass UAC in your environment. And btw, UAC is only a nagging pain in the butt if you have no idea of how to control it.
As for controlling UAC, I would suggest you take a peek at "Microsoft Application Compatibility Toolkit". With this tool in hand you can decide what installers/applications should be allowed to bypass UAC in your environment. And btw, UAC is only a nagging pain in the butt if you have no idea of how to control it.
Posted by:
dhanraj
12 years ago
Hi ,
Microsoft ACT is best tool to suppress UAC .You can create the shim databases I mean .sdb file and you can include in your msi or mst file.
Thanks
Microsoft ACT is best tool to suppress UAC .You can create the shim databases I mean .sdb file and you can include in your msi or mst file.
Thanks
Posted by:
Arminius
12 years ago
My current client uses privilege management - they have UAC and all users are users. The tool is PowerBroker - I'm not a huge fan, but it does seem to work. If you really run into issues with UAC, that is one option although I don't think it will solve your problem here with ActiveSetup. The Application Compatiblity Toolkit is nice; I'd more use it for making 32-bit apps perform in a 64-bit environment than for user rights - you can make apps run as administrator, but if you have uac issues that will still be an issue.
Posted by:
dannyarya
12 years ago
Hi,
We have same environment in our company. UAC prompt coming because policy not allow to run any executable.
Here we are using vbscript to add the user registries thru Active Setup. It works fine.
The above case is okay if you have maximum 30-40 or 50 registries entries but not if you have more than 100 and so on.
For that I'm trying to write a VBScript which converts the .reg file to the .vbs file which we can use in our package in ActiveSetup.
We have same environment in our company. UAC prompt coming because policy not allow to run any executable.
Here we are using vbscript to add the user registries thru Active Setup. It works fine.
The above case is okay if you have maximum 30-40 or 50 registries entries but not if you have more than 100 and so on.
For that I'm trying to write a VBScript which converts the .reg file to the .vbs file which we can use in our package in ActiveSetup.
Posted by:
jmaclaurin
12 years ago
If you are using Wise to create an EXE to run in your active setup, I found that you need to have the Build Settings set to the run level to "asInvoker". Otherwise, it is attempting to ask for elevated rights when they aren't needed to make changes to a User's profile.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
