Business Version UAC and Program Access Issue

[Guest]

As brief as possible:
We are using Vista Small Business and have an admin and standard user
account. We need to always allow admin access, so this has to be set in
properties - compatibility - run as admin, correct? Then it will always run
this way in both the admin and standard account. Also in the standard account
we want to restrict what programs the standard user could access. How can we
deny access to IE and a few other programs? Is group policies the way to go
and if so how do you use them in Vista Business. Thanks

 

[Ronnie Vernon MVP]

Jason

Yes, set the option in the Compatibility tab. You will still get the UAC pop
up for confirmation.

Group Policy is the best way to do what you asked.

Go to the following website and download the Group Policy Settings
Reference. This is an Excel spreadsheet that contains all of the group
policy settings with a description of each setting.

Download details: Group Policy Settings Reference:
http://tinyurl.com/fmxvo

 

[Rock]

We are using Vista Small Business and have an admin and standard user
account. We need to always allow admin access, so this has to be set in
properties - compatibility - run as admin, correct? Then it will always
run
this way in both the admin and standard account. Also in the standard
account
we want to restrict what programs the standard user could access. How can
we
deny access to IE and a few other programs? Is group policies the way to
go
and if so how do you use them in Vista Business. Thanks

You only need to use Run as Administrator on the Compatibility tab if there
is a problem with the program running on Vista and compatibility mode is
needed. Otherwise right click the short cut to the program | Properties |
Shortcut tab | Advanced | Run as Administrator.

Note: this will cause the program to ask for admin credentials every time
it's run A standard user will be prompted to provide the credentials of an
admin account, account name and password, to run it. Choosing Run as
Administrator does not remove the UAC prompts, it forces the prompts to
appear. An admin user will be prompted to elevate.

If the program doesn't need admin privileges to run, then don't set Run as
Administrator. In that case there will be no UAC prompts.

Hopefully I'm understanding your question and this helps.

 

[Guest]

OK, the issue is that the software does require this. So how can a regular
user access the program w/o an admin? I thought there is a way to save the
"token" so that the program will always use run as admin even with a normal
user.

 

[Jimmy Brush]

Hello,

Windows does not officially support forcing a program to run in an
admin context regardless of the privilege level of a user.

In Windows, programs can only use privileges that the user holds.

If you need a user to have admin power to run a certain program, then
they must be an administrator or be assigned as much privilege is
necessary in order to successfully run the program.

That being said, there is a "hack" that can allow what you want: using
the /savecred option of the runas command-line tool with the built-in
"Administrator" account (you have to enable this account first).

But, be warned: THIS IS NOT SECURE. Once you use the /savecred option,
all of your users (and any malware that they run) can *easily* become
a full administrator, so if you do this, you are in essentially making
your users administrators, without it appearing to be so.

- JB

 

[Guest]

OK, so how does this sound as a plan of attack. Disable UACs so that admins
and standard users can both run the program w/o having to select "run as an
admin"? Then we can use group policies to disable access to IE and a few
other programs for the two standard users.

 

[Jimmy Brush]

I thought your program required admin rights? Turning UAC off will not
make standard users have administrator powers. I guess I am not fully
understanding your problem.

- JB

OK, so how does this sound as a plan of attack. Disable UACs so that admins
and standard users can both run the program w/o having to select "run as an
admin"? Then we can use group policies to disable access to IE and a few
other programs for the two standard users.

 

[Guest]

Sorry, I think the issue is that I have not fully become familiar with how
Vista runs. The issue is that the program needs admin rights to run. So I
thought if UAC is turned off in Vista then the program automatically has
admin control because there is no UAC blocking access to the program anymore.

 

[Guest]

Also I just saw Vista Home today, I should have bought that for my business.
It would have solved my access issue MUCH EASIER with parental controls. You
can select what programs a standard user can use right in those controls!
Real simple, no need to dig through group policies like in my Business
version. Is there an easier way I can block regular user's access to certain
programs like in the home edition? Or do I have to figure out how to do it in
group policies>?

 

[Guest]

Also I just saw Vista Home today, I should have bought that for my business.
It would have solved my access issue MUCH EASIER with parental controls. You
can select what programs a standard user can use right in those controls!
Real simple, no need to dig through group policies like in my Business
version. Is there an easier way I can block regular user's access to certain
programs like in the home edition? Or do I have to figure out how to do it in
group policies>?

 

[Jimmy Brush]

This is a correct understanding only if the user is an administrator.

This is incorrect if you are talking about standard users.

In Windows, users are assigned specific rights, and the programs that
a user runs are only allowed to use the rights that the user is
assigned.

The main thing that UAC does is to insure that, if a user is logged in
as an administrator, and a program wants to use ALL of the privileges
assigned to the user (admin power), that the user is in fact aware of
that program and is the one running it, so as to prevent
administrative programs from running that the user did not start.

If the user is a standard user, then they do not have administrator
rights, so they will not be able to run a program that has to use
administrator privileges - regardless of whether UAC is on or off.

A program *must* be started by an administrator in order to have
administrator privileges.

This can be done from inside a standard user account by running a
program "as administrator" and entering a password for an
administrator - this is meant to allow an administrator to physically
walk to a user's computer and perform an admin action without needing
to log the user off and log in to their account.

And, there is the "hack" I mentioned, which works by saving the
username and password of an administrator on the computer, and using
that to log in to that admin account whenever your program is ran, so
that it can run inside of an admin account without having the user
enter a password.

But, as I said, this is insecure - because it allows any standard user
to use this saved username and password of an admin to run whatever
program they want with admin privileges - in essense, this makes your
users administrators, because they have that ability, even though it
may not be immediately obvious to them.

- JB

 

[GByrant]

Also I just saw Vista Home today, I should have bought that for my business.
It would have solved my access issue MUCH EASIER with parental controls. You
can select what programs a standard user can use right in those controls!
Real simple, no need to dig through group policies like in my Business
version. Is there an easier way I can block regular user's access to certain
programs like in the home edition? Or do I have to figure out how to do it in
group policies>?

Vista's parental controls are useless if you have a user with admin
rights since they can simply change the settings. The best option is a
third party parental control like PC Chaperon, the one we use for our
150+ workstations. Their website is http://www.pc-chaperone.com

 

[Guest]

I just need to block user access to programs for users with standard
accounts, so home would have worked for us. So I guess we are going to have
to buy a third party package. You recommend pc-chaperone, however their
website does not say if they are Vista capable and all the review sites state
that they are only capable up to XP. If not any others you recommend?

 

[GByrant]

Actually it is now Vista compatible, which I know for a fact since I'm
running it on Vista. I had contacted them about this when I bought my
new machine and they told me that the latest version is Vista
compatible, but that their website has just not been updated to
reflect it.