If you are using Wise to create an EXE to run in your active setup, I found that you need to have the Build Settings set to the run level to "asInvoker". Otherwise, it is attempting to ask for elevated rights when they aren't needed to make changes to a User's profile.

Hi,

We have same environment in our company. UAC prompt coming because policy not allow to run any executable.

Here we are using vbscript to add the user registries thru Active Setup. It works fine.

The above case is okay if you have maximum 30-40 or 50 registries entries but not if you have more than 100 and so on.

For that I'm trying to write a VBScript which converts the .reg file to the .vbs file which we can use in our package in ActiveSetup.

My current client uses privilege management - they have UAC and all users are users. The tool is PowerBroker - I'm not a huge fan, but it does seem to work.  If you really run into issues with UAC, that is one option although I don't think it will solve your problem here with ActiveSetup.  The Application Compatiblity Toolkit is nice; I'd more use it for making 32-bit apps perform in a 64-bit environment than for user rights - you can make apps run as administrator, but if you have uac issues that will still be an issue.

Hi ,

Microsoft ACT is best tool to suppress UAC .You can create the shim databases I mean .sdb file and you can include in your msi or mst file.

Thanks

Indeed that sounds odd. Are you sure Active Setup has been implemented correctly?

As for controlling UAC, I would suggest you take a peek at "Microsoft Application Compatibility Toolkit". With this tool in hand you can decide what installers/applications should be allowed to bypass UAC in your environment. And btw, UAC is only a nagging pain in the butt if you have no idea of how to control it.

With users limited to User level, a properly secured network, firewall, antivirus solution, trained and knowledgeable support staff, etc... you don't need UAC. It does nothing for OS security but blameshift from Microsoft's failure to properly fix the OS. If UAC were an actual fix, then why give the option to disable it?

Having said that, you should try to limit your Active Setups to write only to areas in the user's profiles and locations that they can write to without issue. It sounds like that is what you are attempting, but user's should have the ability to write to HKCU natively. If you are having issue, I would suggest you test your install on a base Win7 install straight from the CD,workgrouped, un-networked, no antivirus, no patches, no apps, etc and work from there.

If you use InstallShield you can set "Require Administrative Privileges" to "NO" (it's in Summary Information Stream section) for MSI's so it will allow limited user repairs and active setups. Users will still not be able to uninstall, change files or proceed with any sort of bold moves.

Naturally, every environment is different.  However given your scenario is very similar to what we have almost completed here, we opted for limiting UAC functionality with Group Policy rather than completely turning it off.