Thread: Need Repros, UAC breaks Domain GPO or Logon scripts.
View Single Post
  #10 (permalink)  
Old August 29th 06, 10:03 PM posted to microsoft.public.windows.vista.networking_sharing
Kerry Brown
external usenet poster
  
Posts: 2,887
Default Need Repros, UAC breaks Domain GPO or Logon scripts.
Steve Foster [SBS MVP] wrote:
Kerry Brown wrote:


On XP clients, this utility simply fails for non-administrative
users. It's only because of UAC/LUA/etc on Vista that there's an
opportunity to enter administrative credentials and have the
utility do its' thing (which is to install Outlook if necessary,
configure IE, create entries in Network Places, etc.)

I know that's the reason why. I still feel it's a bug. I don't like
the way it works with XP and it's worse with Vista. It is a big
security flaw forcing everyone to be a local administrator and goes
against the grain of the new security model in Vista. It will be a
major problem when deploying Vista workstations in a SBS environment
if you don't want everyone to be local administrators. There will be
no end of the users complaining about the UAC prompt, asking what
they should do, what's the password, etc. At least with XP you could
work around it. The SBS group rather than the Vista group will have
to fix it. If I complain about it every chance I get hopefully
sooner or later it will get through to the right people.

I disagree with the idea that ordinary users should be granted
administrative privileges on the workstation they use - so I don't do
so.

I don't think we disagree here. I wholeheartedly agree that standard users
shouldn't have administrator privileges or access to a password that grants
this.


It's trivial to eliminate the problem:

* rename the standard SBS logon script, and put an empty script in
its' place (keeps the wizards happy), or
* comment out the invocation of the client setup utlity, or
* change it like this (use your favourite user account with local
administrative privileges):

if not "%username%"=="Installer" goto exit
\\server\clients\setup\setup.exe /s server
exit


That's three ways to fix it off the top of my head.

I also agree it's pretty easy to get around the problem. My point is it
shouldn't be a problem in the first place. In a properly designed
client/server network once the client is joined to the network there
shouldn't be any need for users to ever have local administrator privileges.
Programs should be able to install for the user with user privileges.
Updates should be able to be pushed out by the server without any
interaction from the users. I know this is a ways off with Windows based
networks and SBS in particular but if we all complain loud enough the wait
for it to happen will be shorter :-)

This exists in 'nix and Netware environments. It needs to happen in Windows
as well or we will be forever chasing malware problems. Vista is a step in
the right direction but it needs to be made easy enough to use the built in
Vista security or users will find ways to turn it off. The SBS market is one
place where there are many installs administered by people who have grown up
in Windows environments and really don't understand how security should
work. These will be the people that will simply disable the security so the
warnings and problems go away.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/forum/Forum.htm