Need Repros, UAC breaks Domain GPO or Logon scripts.

Kerry Brown wrote:

> John [MS] wrote:

>> I've been tracking an issue regarding UAC breaking logon scripts
>> and I need Repro's/scripts/examples. From what I've seen if you have
>> your script in the User/Logon GPO it pops UAC on some operations such
>> as installing antivirus or executing remote monitoring clients,
>> cancelling on the UAC prevents the domain policy from being fulfiled.
>>
>> In some cases I have seen that moving these scripts to the
>> Computer/Startup GPO fixes the problem. Anybody had issues with
>> similar cases? Have a bug that was closed By Design, Not Repro
>> relating to this type of issue, chime in. Windows 2003 SBS connection
>> issues welcome too.
>> Thanks,
>>
>> John
>> Microsoft Windows Beta Team
>> a-johnr@microsoft.com

>
> Connecting to my SBS 2003 server as a domain user who is not a member
> of the local administrator group (standard Vista user) pops up a uac
> prompt. If you then specify a local administrator account that is not
> a domain account (default first account from Vista install) you are
> then prompted again for network credentials. If you specify a domain
> user that is in the local administrators group then there is no
> second prompt for domain credentials. It would be nice if SBS domain
> users did not need to be members of the local administrators group.
> This happens with builds 5384 and 5472.
> With 5384 I also had problems with group policies intermittently not
> being applied with the same SBS domain. With 5472 this seems to be
> fixed. The SBS group policies have not been modified from the default
> SBS install.
> The media used for the SBS install was Microsoft Windows Small
> Business Server 2003 Standard Edition with Service Pack 1. On the COA
> on the outside of the box it is called WIN SBS STD 2003 W/SP1 ENGLISH
> CD/D.

I forgot to mention. I have not been able to get the SBS
https://sbs-server-name/connectcomputer/ wizard to work in Vista. I have to
manually join the computer to the domain.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/forum/Forum.htm

Kerry Brown wrote:

>John [MS] wrote:

>> I've been tracking an issue regarding UAC breaking logon scripts
>>and I need Repro's/scripts/examples. From what I've seen if you have
>>your script in the User/Logon GPO it pops UAC on some operations such
>>as installing antivirus or executing remote monitoring clients,
>>cancelling on the UAC prevents the domain policy from being fulfiled.
>>
>>In some cases I have seen that moving these scripts to the
>>Computer/Startup GPO fixes the problem. Anybody had issues with
>>similar cases? Have a bug that was closed By Design, Not Repro
>>relating to this type of issue, chime in. Windows 2003 SBS connection
>>issues welcome too.
>>Thanks,
>>
>>John
>>Microsoft Windows Beta Team
>>a-johnr@microsoft.com

>
>Connecting to my SBS 2003 server as a domain user who is not a member of
>the local administrator group (standard Vista user) pops up a uac prompt.
>If you then specify a local administrator account that is not a domain
>account (default first account from Vista install) you are then prompted
>again for network credentials. If you specify a domain user that is in the
>local administrators group then there is no second prompt for domain
>credentials. It would be nice if SBS domain users did not need to be
>members of the local administrators group. This happens with builds 5384
>and 5472.

That would be because the standard SBS login script invokes the SBS client
setup utility, which requires local administrative privileges.

On XP clients, this utility simply fails for non-administrative users.
It's only because of UAC/LUA/etc on Vista that there's an opportunity to
enter administrative credentials and have the utility do its' thing (which
is to install Outlook if necessary, configure IE, create entries in
Network Places, etc.)

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Steve Foster [SBS MVP] wrote:

> Kerry Brown wrote:
>

>> John [MS] wrote:

>>> I've been tracking an issue regarding UAC breaking logon scripts
>>> and I need Repro's/scripts/examples. From what I've seen if you have
>>> your script in the User/Logon GPO it pops UAC on some operations
>>> such as installing antivirus or executing remote monitoring
>>> clients, cancelling on the UAC prevents the domain policy from
>>> being fulfiled. In some cases I have seen that moving these scripts to
>>> the
>>> Computer/Startup GPO fixes the problem. Anybody had issues with
>>> similar cases? Have a bug that was closed By Design, Not Repro
>>> relating to this type of issue, chime in. Windows 2003 SBS
>>> connection issues welcome too.
>>> Thanks,
>>>
>>> John
>>> Microsoft Windows Beta Team
>>> a-johnr@microsoft.com

>>
>> Connecting to my SBS 2003 server as a domain user who is not a
>> member of the local administrator group (standard Vista user) pops
>> up a uac prompt. If you then specify a local administrator account
>> that is not a domain account (default first account from Vista
>> install) you are then prompted again for network credentials. If you
>> specify a domain user that is in the local administrators group then
>> there is no second prompt for domain credentials. It would be nice
>> if SBS domain users did not need to be members of the local
>> administrators group. This happens with builds 5384 and 5472.

>
> That would be because the standard SBS login script invokes the SBS
> client setup utility, which requires local administrative privileges.
>
> On XP clients, this utility simply fails for non-administrative users.
> It's only because of UAC/LUA/etc on Vista that there's an opportunity
> to enter administrative credentials and have the utility do its'
> thing (which is to install Outlook if necessary, configure IE, create
> entries in Network Places, etc.)

I know that's the reason why. I still feel it's a bug. I don't like the way
it works with XP and it's worse with Vista. It is a big security flaw
forcing everyone to be a local administrator and goes against the grain of
the new security model in Vista. It will be a major problem when deploying
Vista workstations in a SBS environment if you don't want everyone to be
local administrators. There will be no end of the users complaining about
the UAC prompt, asking what they should do, what's the password, etc. At
least with XP you could work around it. The SBS group rather than the Vista
group will have to fix it. If I complain about it every chance I get
hopefully sooner or later it will get through to the right people.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/forum/Forum.htm

Thats exacly my thoughts on the matter and the issue Im trying to prevent.
Can you email me your logon script from that 2k3 server?

Thanks

John
Microsoft Windows Beta Team
a-johnr@microsoft.com


"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:uARv5X3yGHA.3464@TK2MSFTNGP03.phx.gbl...

> Steve Foster [SBS MVP] wrote:

>> Kerry Brown wrote:
>>

>>> John [MS] wrote:
>>>> I've been tracking an issue regarding UAC breaking logon scripts
>>>> and I need Repro's/scripts/examples. From what I've seen if you have
>>>> your script in the User/Logon GPO it pops UAC on some operations
>>>> such as installing antivirus or executing remote monitoring
>>>> clients, cancelling on the UAC prevents the domain policy from
>>>> being fulfiled. In some cases I have seen that moving these scripts to
>>>> the
>>>> Computer/Startup GPO fixes the problem. Anybody had issues with
>>>> similar cases? Have a bug that was closed By Design, Not Repro
>>>> relating to this type of issue, chime in. Windows 2003 SBS
>>>> connection issues welcome too.
>>>> Thanks,
>>>>
>>>> John
>>>> Microsoft Windows Beta Team
>>>> a-johnr@microsoft.com
>>>
>>> Connecting to my SBS 2003 server as a domain user who is not a
>>> member of the local administrator group (standard Vista user) pops
>>> up a uac prompt. If you then specify a local administrator account
>>> that is not a domain account (default first account from Vista
>>> install) you are then prompted again for network credentials. If you
>>> specify a domain user that is in the local administrators group then
>>> there is no second prompt for domain credentials. It would be nice
>>> if SBS domain users did not need to be members of the local
>>> administrators group. This happens with builds 5384 and 5472.

>>
>> That would be because the standard SBS login script invokes the SBS
>> client setup utility, which requires local administrative privileges.
>>
>> On XP clients, this utility simply fails for non-administrative users.
>> It's only because of UAC/LUA/etc on Vista that there's an opportunity
>> to enter administrative credentials and have the utility do its'
>> thing (which is to install Outlook if necessary, configure IE, create
>> entries in Network Places, etc.)

>
> I know that's the reason why. I still feel it's a bug. I don't like the
> way it works with XP and it's worse with Vista. It is a big security flaw
> forcing everyone to be a local administrator and goes against the grain of
> the new security model in Vista. It will be a major problem when deploying
> Vista workstations in a SBS environment if you don't want everyone to be
> local administrators. There will be no end of the users complaining about
> the UAC prompt, asking what they should do, what's the password, etc. At
> least with XP you could work around it. The SBS group rather than the
> Vista group will have to fix it. If I complain about it every chance I get
> hopefully sooner or later it will get through to the right people.
>
> --
> Kerry
> MS-MVP Windows - Shell/User
> http://www.vistahelp.ca/forum/Forum.htm
>

Kerry Brown wrote:

>>On XP clients, this utility simply fails for non-administrative users.
>>It's only because of UAC/LUA/etc on Vista that there's an opportunity
>>to enter administrative credentials and have the utility do its'
>>thing (which is to install Outlook if necessary, configure IE, create
>>entries in Network Places, etc.)

>
>I know that's the reason why. I still feel it's a bug. I don't like the
>way it works with XP and it's worse with Vista. It is a big security flaw
>forcing everyone to be a local administrator and goes against the grain of
>the new security model in Vista. It will be a major problem when deploying
>Vista workstations in a SBS environment if you don't want everyone to be
>local administrators. There will be no end of the users complaining about
>the UAC prompt, asking what they should do, what's the password, etc. At
>least with XP you could work around it. The SBS group rather than the
>Vista group will have to fix it. If I complain about it every chance I get
>hopefully sooner or later it will get through to the right people.

I disagree with the idea that ordinary users should be granted
administrative privileges on the workstation they use - so I don't do so.

It's trivial to eliminate the problem:

* rename the standard SBS logon script, and put an empty script in its'
place (keeps the wizards happy), or
* comment out the invocation of the client setup utlity, or
* change it like this (use your favourite user account with local
administrative privileges):

if not "%username%"=="Installer" goto exit
\\<server>\clients\setup\setup.exe /s <server>
:exit


That's three ways to fix it off the top of my head.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

John [MS] wrote:

> Thats exacly my thoughts on the matter and the issue Im trying to
> prevent. Can you email me your logon script from that 2k3 server?
>
> Thanks
>
> John
> Microsoft Windows Beta Team
> a-johnr@microsoft.com
>

It's the standard SBS 2003 logon script. It only has one line which is the
following:

\\SBS-SERVER\Clients\Setup\setup.exe /s SBS-SERVER

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/forum/Forum.htm

>

> I forgot to mention. I have not been able to get the SBS
> https://sbs-server-name/connectcomputer/ wizard to work in Vista. I
> have to manually join the computer to the domain.

I just installed build 5536 and the connectcomputer wizard works sort of if
you run IE using Run as administrator. The computer was joined to the domain
proerly. I could pick which name from the list of available names. I could
not pick any local profiles to migrate to a domain profile. The drop down
list was blank. I had added one user besides the default one added during
the Vista install.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/forum/Forum.htm

Steve Foster [SBS MVP] wrote:

> Kerry Brown wrote:
>
>

>>> On XP clients, this utility simply fails for non-administrative
>>> users. It's only because of UAC/LUA/etc on Vista that there's an
>>> opportunity to enter administrative credentials and have the
>>> utility do its' thing (which is to install Outlook if necessary,
>>> configure IE, create entries in Network Places, etc.)

>>
>> I know that's the reason why. I still feel it's a bug. I don't like
>> the way it works with XP and it's worse with Vista. It is a big
>> security flaw forcing everyone to be a local administrator and goes
>> against the grain of the new security model in Vista. It will be a
>> major problem when deploying Vista workstations in a SBS environment
>> if you don't want everyone to be local administrators. There will be
>> no end of the users complaining about the UAC prompt, asking what
>> they should do, what's the password, etc. At least with XP you could
>> work around it. The SBS group rather than the Vista group will have
>> to fix it. If I complain about it every chance I get hopefully
>> sooner or later it will get through to the right people.

>
> I disagree with the idea that ordinary users should be granted
> administrative privileges on the workstation they use - so I don't do
> so.

I don't think we disagree here. I wholeheartedly agree that standard users
shouldn't have administrator privileges or access to a password that grants
this.

>
> It's trivial to eliminate the problem:
>
> * rename the standard SBS logon script, and put an empty script in
> its' place (keeps the wizards happy), or
> * comment out the invocation of the client setup utlity, or
> * change it like this (use your favourite user account with local
> administrative privileges):
>
> if not "%username%"=="Installer" goto exit
> \\<server>\clients\setup\setup.exe /s <server>

>> exit

>
>
> That's three ways to fix it off the top of my head.

I also agree it's pretty easy to get around the problem. My point is it
shouldn't be a problem in the first place. In a properly designed
client/server network once the client is joined to the network there
shouldn't be any need for users to ever have local administrator privileges.
Programs should be able to install for the user with user privileges.
Updates should be able to be pushed out by the server without any
interaction from the users. I know this is a ways off with Windows based
networks and SBS in particular but if we all complain loud enough the wait
for it to happen will be shorter :-)

This exists in 'nix and Netware environments. It needs to happen in Windows
as well or we will be forever chasing malware problems. Vista is a step in
the right direction but it needs to be made easy enough to use the built in
Vista security or users will find ways to turn it off. The SBS market is one
place where there are many installs administered by people who have grown up
in Windows environments and really don't understand how security should
work. These will be the people that will simply disable the security so the
warnings and problems go away.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/forum/Forum.htm