Sign in to follow this  
Followers 0
jazzyjeff

Suppress UAC in an enterprise environment

6 posts in this topic

I have spent some time figuring out how to suppress the prompts for UAC when installing applications in Windows 7. I am at a school district and have a domain of several thousand users, so the idea of an App Store where staff and students could pick software that we allow, and install this software without the need the for a technician to enter the admin password. These users are standard users on the machine, and have no local admin rights.

The App Store app that has been create uses the RunAs command, with an Admin account and encrypted password embedded. Even though Runas("admin","domain.com","password",0,"X:\InstallApp.exe") seems like it would install the application as the administrator, UAC still wants you to authorize the procedure with a prompt.

You all probably know this already.

I found this website and read through some of the settings.

http://technet.microsoft.com/en-us/library/dd835564(v=WS.10).aspx

The one that intrigued me was this:

http://technet.microsoft.com/en-us/library/dd835564(v=WS.10).aspx#BKMK_DetectApp

EnableInstallerDetection - Regkey

When I disabled this key and set the ConsentPromptBehaviorAdmin to 0, I am able to install the applications from my application.

Hopefully this will help others that have had issues with this. I have only tested it on one machine so far too, so hopefully I am not jumping the gun. It did work on that 1 machine.

This is not an autoit fix, just some documentation from microsoft, so hopefully the forum guys aren't mad at me for putting this out there as it's nothing Microsoft aren't publishing themselves.

Share this post


Link to post
Share on other sites



It would be nice if you at least provided an example script since this is not exactly a "Script Advice" forum.

And anyway, If I am correct, handling UAC is not much different than it would be on different version of windows 7.


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Sorry for offending you ApudAngelorum for the "Script Advice". Just trying to help out others. I thought there was enough information to assist those who may require something similar to me. I thought this was an example.

Sorry I am not quite sure I understand your last sentence...

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Sorry for offending you ApudAngelorum for the "Script Advice". Just trying to help out others. I thought there was enough information to assist those who may require something similar to me. I thought this was an example.

Sorry I am not quite sure I understand your last sentence...

haha, I guess that did sound a little off beat, I didn't mean to be a prick when saying that.

the links are a good resource for anyone investigating to create a UAC handling script right, but I just simply meant that it would have been great if you included something that you fabricated using the information. Usually people here post a script that makes use of the information attained through research on a certain subject, that's all. I'm not pressuring you to make an working example either so don't get me wrong. It's just that I'm sort of passing on what I've been told when doing something similar.

And what I meant by "If I am correct, handling UAC is not much different than it would be on different version of windows 7. " was targeted at the bit in your thread title "Suppress UAC in an enterprise environment", which to me implied that this was intended for use in the said environment only, but if I'm correct (could be wrong), the changes are applicable to any version of windows 7. But if I'm wrong, then please correct me.

Edited by ApudAngelorum

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

This may seem like a silly question, but doesn't changing those regkeys require admin access, and therefore, the application making those changes (in your case, the app store), would still require a 1 time authorization in UAC prompt, in order to gain rights to make those changes?

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Yes, to modify those registry keys you do need admin rights. In my case, I have created an image for all of our machines where these keys have been setup already. When the user logs in they inherit these changes.

We have been using this for some time now and I have made massive improvements to our app store in this time, which I should/will post.

With these changes in place though, I have UAC locked down fully for standard users, but I can now execute scripts as an admin account with full UAC rights and the user is never prompt for a password. This is great for applying fixes to the users machine that would usually require admin rights, but it is mostly being used by our users to update software applications or to install software that we perhaps missed on the image. For example a bunch of teachers like using a program called Splashtop, but this isn't adopted widely enough for us to warrant putting it on the image. I have added the install files to a share that the app store points to, and any user that would like to install this application can without being prompted for a password. If they try and run the exe from the link off the website, they are going to be prompted for an admin username and password.

So in short, yes you have to make the change on the machine with an admin account before it can really become useful.

Edited by jazzyjeff

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0