Managing UAC and "Run As Administrator" in Windows 7 using ZCM

  • 7010269
  • 07-Mar-2012
  • 30-Apr-2012

Environment

Novell ZENworks 10 Configuration Management
Novell ZENworks 11 Configuration Management

Situation

UAC causes applications run as an administrator to fail with insufficient rights or accessed denied messages.

Resolution

Configure the Application or Process to request elevated rights.
See "Additional Information" below for some methods of controlling UAC.
 
The following Microsoft Document also provides extensive details on UAC:
 

Additional Information

What is UAC?
UAC (User Access Control) is a feature of Windows whereby a user's highest security tokens can only be used if the user requests those high level security tokens be used and then confirms their request to use those tokens.
When UAC is enabled and a user does not BOTH request the use of those tokens AND confirms their request for the use of those tokens, the action will not be run with full administrative rights.
This explains the confusing subject, where users receive “access deniedâ€, “insufficient rightsâ€, or similar messages, while they are logged into Windows with an account that is either member of the local administrators group or even the administrator account itself.
 
Requesting High Level Security Tokens for UAC:
One method for requesting access to the highest security tokens is to “right-click†on an application or shortcut and select“Run as Administratorâ€.
This menu item is a slight misnomer since it is not a request to run the action as the local administrator account, but rather to run the action as someone who is a member of the local administrators group.
Assuming the user is logged into Windows with an account that is a member of the local administrators group, a pop-up dialogue will appear asking permission to allow the program to make changes to this computer.
If the logged on user is not a member of the local administrator's group, it will also ask for credentials for a local administrator account it can use to make those changes.
(Note: Some UAC aware applications that know they need elevated rights, may automatically send the elevation request without the user needing to specifically perform the request, though they will still need to confirm that request assuming default UAC settings.)
 
UAC in Action:
Witnessing UAC in action can help users better understand the operation. On a Windows 7 PC with Default UAC settings, while logged in as a member of the local administrator's group, create a shortcut to “c:\windows\system32\cmd.exe†on the desktop.
Launch the shortcut and navigate to the c:\windows\system32 directory. Then type the command “md testâ€. This should return the result “access deniedâ€, even though the logged on user is a local administrator.
Next, “Right-Click†on the shortcut and select “Run as administratorâ€. When prompted, grant permission to the application to make changes and again try to create the “test†directory in “c:\windows\system32â€.
This time the command should work without giving an accessed denied message. This successful command would have been completed by the same logged on user, but this time the process is started with the full set of the logged on user’s security tokens.
 
Using a Script to Request Elevated Rights:  (All Scripts are for Example purposes only and not supported by Novell.)
Applications can be configured to request elevated rights at launch via a VBS Script.
The command “Wscript.exe GoNotepad.vbs†will execute the VBS script, which launches notepad.exe so that it requests elevated rights as well as opens “myfile.txt†and a UAC prompt should be generated.
 
GoNotepad.VBS
--------------------------
Set objSh = CreateObject("Shell.Application")
objSh.ShellExecute "notepad.exe", "myfile.txt" , "", "runas", 1
 
Automating Acceptance of Elevation Requests for Local Administrators :
The UAC Group Policy setting “User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode†can be configured so that all elevations requests are automatically granted without prompting if a user is logged onto the device as a local administrator by setting it to“Elevate without Promptingâ€. This setting can be configured either via the Group Policy Editor to change the default local settings, a Group Policy, or by directly editing the registry. Set the registry key below and right-click on the cmd.exe shortcut again and select the “Run as Administrator†option. There should not be any elevation prompt, but the rights should exist to create subdirectories underneath c:\windows. 
 
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000 

 
Repeat the process of running the cmd.exe shortcut, but this time do not select the “Run as Administratorâ€. The rights to create directories underneath c:\windows should now be absent, despite the registry key above since an elevation request has not been made.
Configuring Applications to Always Request Elevated Rights:
Programs can be configured to always request elevation on the user level via registry settings under HKCU. These registry settings are effective on the fly, so they can be set immediately prior to launching a particular application and even removed as soon as the application is launched, if so desired. Simply create a “String Value†under“HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers†for the full path to an executable with a value of “RUNASADMINâ€. Below is an example for CMD.

Windows Registry Editor Version 5.00
[HKEY_Current_User\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"c:\\windows\\system32\\cmd.exe"="RUNASADMIN"

Create the registry entry above and then test running “cmd.exe†without selecting the“Run As Administrator†option. (Note: The Double Slashes are needed when creating a REG file, but only a Single Slash is used if entering the information directly via regedit) The expected result should be that an elevation request should be sent to the logged on user in the same manner as if the user had right-clicked the cmd.exe shortcut and selected the “Run as administrator†option. The user should also be able to create directories inside of thec:\windows\system32 directory via the command prompt. If an elevation request is not always desired for the program, make sure to create a bundle action to delete the entry after the application is launched.

(Note: This setting is not valid under HKEY Local Machine)
There are also two unsupported on the ZENworks Cool Solution Site that can be used to update the manifest within the EXE so that it will automate its own request rights.
https://www.novell.com/coolsolutions/tools/18193.html
https://www.novell.com/coolsolutions/tools/18708.html