Win7, UAC, File and Print Sharing settings
I'm a new KBOX user and have been rolling out the Agent to my 120+ users over the past month. Got my head around the firewall/ports thing and configured that via a GPO. But now that I am also supporting new Windows 7 PCs/notebooks, I am curious about a couple of things:
(1) the security implications of setting UAC via a GPO with "Run all administrators in Admin Approval Mode" set to ENABLED ... what does this really mean in terms of changing UAC behaviour?
EDIT: just realised that the default in the GPO settings is Enabled, so I guess all my Windows 7 machines already have this set unless I have specified otherwise?
(2) I've not been able to discover how to enable File and Printer Sharing via a GPO ... so am I stuck with a manual process on a per-machine basis for this?
Just wondering whether others here are happy with that UAC change and also whether others here have a better way of dealing with item #2.
For the time being I have had to manually turn off UAC, manually turn on File and Print Sharing and Network Discovery, reboot, install the Agent, turn UAC back on again, reboot. Painful.
(1) the security implications of setting UAC via a GPO with "Run all administrators in Admin Approval Mode" set to ENABLED ... what does this really mean in terms of changing UAC behaviour?
EDIT: just realised that the default in the GPO settings is Enabled, so I guess all my Windows 7 machines already have this set unless I have specified otherwise?
(2) I've not been able to discover how to enable File and Printer Sharing via a GPO ... so am I stuck with a manual process on a per-machine basis for this?
Just wondering whether others here are happy with that UAC change and also whether others here have a better way of dealing with item #2.
For the time being I have had to manually turn off UAC, manually turn on File and Print Sharing and Network Discovery, reboot, install the Agent, turn UAC back on again, reboot. Painful.
0 Comments
[ + ] Show comments
Answers (5)
Please log in to answer
Posted by:
GillySpy
12 years ago
If you have GPO why not deploy the agent that way as well? http://www.kace.com/support/kb/index.php?action=artikel&cat=2&id=848&artlang=en
Posted by:
stephen.frost
12 years ago
I suppose I could. But I've always been a bit wary of apps deployed via GPO and avoid it when I can. That wouldn't address the UAC and other issues though would it?
Posted by:
GillySpy
12 years ago
I was assuming that the only reason you were playing with UAC, etc was to get provisioning to work. If so then yes this would address that problem as it would use AD's security mechanisms in lieu of agent provisioning and not require those other changes
Posted by:
stephen.frost
12 years ago
OK, thanks, I didn't realise that; I will finish rolling out the current batch manually, but when we upgrade to the next Agent version I will give the .MSI deployment via GPO a go.
Posted by:
GillySpy
12 years ago
Just to be clear that once you have an agent you should never need to reprovision it again --it will update itself. Provision or other installation methods like via GPO are only necessary for machines that do not have an agent.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.