My company is getting ready to make the transition from Windows XP (primarily x86) to Windows 7 x64. I've done some experiments with packaging and deploying via SCCM, and one thing I've discovered is that UAC prompts for credentials when I attempt an Active Setup solution--for example, getting registry values into HKCU.

I'm trying to get a sense of the best way to handle this, and based on what I've read in the forums here, it sounds like the best approach, at least for a corporate environment where we have desktops locked down and admin rights given to a select group, is to either completely turn off UAC, or limit its functionality with Group Policy. Does that sound right, or would there be a better approach?

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
0

If you are using Wise to create an EXE to run in your active setup, I found that you need to have the Build Settings set to the run level to "asInvoker". Otherwise, it is attempting to ask for elevated rights when they aren't needed to make changes to a User's profile.

Answered 03/15/2012 by: jmaclaurin
Third Degree Blue Belt

Please log in to comment
0

Hi,

We have same environment in our company. UAC prompt coming because policy not allow to run any executable.

Here we are using vbscript to add the user registries thru Active Setup. It works fine.

The above case is okay if you have maximum 30-40 or 50 registries entries but not if you have more than 100 and so on.

For that I'm trying to write a VBScript which converts the .reg file to the .vbs file which we can use in our package in ActiveSetup.

Answered 03/06/2012 by: dannyarya
Orange Senior Belt

Please log in to comment
0

My current client uses privilege management - they have UAC and all users are users. The tool is PowerBroker - I'm not a huge fan, but it does seem to work.  If you really run into issues with UAC, that is one option although I don't think it will solve your problem here with ActiveSetup.  The Application Compatiblity Toolkit is nice; I'd more use it for making 32-bit apps perform in a 64-bit environment than for user rights - you can make apps run as administrator, but if you have uac issues that will still be an issue.

Answered 03/02/2012 by: Arminius
Second Degree Green Belt

Please log in to comment
0

Hi ,

Microsoft ACT is best tool to suppress UAC .You can create the shim databases I mean .sdb file and you can include in your msi or mst file.

Thanks

Answered 03/01/2012 by: dhanraj
Senior Yellow Belt

Please log in to comment
0

Indeed that sounds odd. Are you sure Active Setup has been implemented correctly?

As for controlling UAC, I would suggest you take a peek at "Microsoft Application Compatibility Toolkit". With this tool in hand you can decide what installers/applications should be allowed to bypass UAC in your environment. And btw, UAC is only a nagging pain in the butt if you have no idea of how to control it.

Answered 02/28/2012 by: Matias M Andersen
Senior Yellow Belt

Please log in to comment
0

With users limited to User level, a properly secured network, firewall, antivirus solution, trained and knowledgeable support staff, etc... you don't need UAC. It does nothing for OS security but blameshift from Microsoft's failure to properly fix the OS. If UAC were an actual fix, then why give the option to disable it?

Having said that, you should try to limit your Active Setups to write only to areas in the user's profiles and locations that they can write to without issue. It sounds like that is what you are attempting, but user's should have the ability to write to HKCU natively. If you are having issue, I would suggest you test your install on a base Win7 install straight from the CD,workgrouped, un-networked, no antivirus, no patches, no apps, etc and work from there.

Answered 02/27/2012 by: jmaclaurin
Third Degree Blue Belt

Please log in to comment
0

If you use InstallShield you can set "Require Administrative Privileges" to "NO" (it's in Summary Information Stream section) for MSI's so it will allow limited user repairs and active setups. Users will still not be able to uninstall, change files or proceed with any sort of bold moves.

Answered 02/27/2012 by: Aivars_s
Senior Yellow Belt

Please log in to comment
0

Naturally, every environment is different.  However given your scenario is very similar to what we have almost completed here, we opted for limiting UAC functionality with Group Policy rather than completely turning it off.

Answered 02/26/2012 by: Twyan
Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity