After a successful compiled application, I transferred the executable to a network drive with the post-build event in VS. Every time I start my project, it is opened under my user credential but it needs administrators privilege to run like expected. So VS ask me if I want to close VS and restart it under admin privilege. After that, VS looses my connected network drives because it runs under administrator, not my own credential. If I go in command prompt with admin privilege and type "Net Use" command, there is no network drives attached. After mapping the missing drives, VS is able to compile like expected.
Now, my question is, when I go to command prompt with admin privilege, what is my credential? If I type "whoami", I get my own user name but it is not totally true because there is no mapped network drives like under command prompt without admin privilege. Even if my user is under local administrators group...
We can add a value in the registry to synchronize mapped network drives between linked tokens. This is documented under Some Programs Cannot Access Network Locations When UAC Is Enabled in TechNet:
To work around this problem, configure the EnableLinkedConnections registry value.
The registry key is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
The EnableLinkedConnections value is a DWORD set to 1 to share mapped drives between linked tokens or to 0 for the default behaviour.
Related
I have a batch file which starts a PowerShell script, set on startup, via Windows Task Scheduler.
As the PowerShell script needs to stop a specific network card after running, it needs administrative privileges. So I checked the box "run with highest privileges".
The PowerShell script uses Test-Path "filesystem::\\network-share\Test" to check if the path is accessible. I also tried using the assigned drive letter directly. All is only run after logon, so the user which has access to the shared directory is already fully logged in.
Both fail to run at startup, even if the IP of the share is reachable. It works fine if I run the same with right-click "run as administrator".
I think it's because "run with highest privilege" is kind of independent of the logged-in user so has no access to the share drive?
I do not want to store the credentials for accessing the share drive within the script.
I have 2 machines, one is Windows 10 and the other is Windows 7, recently whenever I download a file on Windows 10 machine directly on my External Hard Disk and detach it from that machine and try to attach it to windows 7 machine, I have no access to any of the downloaded files it gives me access denied. I can access folders and see the files are present but cannot open them.
To solve this issue I have to manually assign permission to each files by first taking ownership of that file for "Everyone" account and then assigning "Everyone" full control.
I have tried to take the ownership of the folder but receives the error of access denied for each files when selecting the option of "Permission Inheritance for files and Sub Folder"
I have even tried to write a PowerShell to assign permission but the situation does not change it returns with an access denied error. FYI, PowerShell window is opened as Administrator by selecting Run as administrator.
Even if I run the intended application as Administrator it will still not work it will still give me Access Denied.
The only workaround I found was to perform the above actions of individual file ownership and permission assignment.
It would of great help is someone can provide a permanent solution to this issue.
BTW, The external hard drive which I use is WD drive and its with me for than 5 year now and never encounter this issue in the past.
And the files in questions are Photos, videos, documents and mp3.
This is neither a PowerShell nor a programming issue, so the question would be more suitable for SuperUser.
Creating a file on removeable media on one system and then trying to access that same file on a different system will normally fail unless you took precautions to make the data accessible from other systems. That is because even though users and groups may have the same name on both systems they still have different SIDs (which is what the system actually uses to decide whether access is or isn't allowed).
To grant a user on a different system access to the file you have to take ownership and grant the user(s) on that system access.
takeown /f x:\ /a /r /d y
icacls x:\ /reset /t /c
icacls x:\ /grant administrators:(oi)(ci)f username:(oi)(ci)rx
Note that adjusting ownership and permissions of a single file usually does not suffice. The user must be able to at least traverse the entire path to that file. Similarly taking ownership and adjusting permissions on a folder may not suffice unless the files in that folder inherit their permissions from the folder. If they don't you need to take ownership of the files and adjust their permissions as well.
The above 3 commands recursively take ownership of everything on drive X:, reset permissions to enable inheritance, and grant access to the Administrators group (full control) and the user "username" (read and execute).
With that said, you can prepare permissions so that files are accessible on different systems without the need to take ownership and adjusting permissions on the target system. There are a number of principals and groups that have the same well-known SID on all Windows systems, e.g.
Everyone (S-1-1-0)
Administrators (S-1-5-32-544)
Users (S-1-5-32-545)
Authenticated Users (S-1-5-11)
Granting access for instance to the group "Users" should make your data accessible across different systems.
Install a separate hard drive or prepare a separate partition for each operating system.
Install the operating systems. For example, if your PC has Windows 8.1, install Windows 10 onto the other hard drive or partition.
Reboot the PC. The boot menus should appear with both operating systems listed.
If both operating systems aren't listed:
Open a command line, either as an administrator from inside Windows, or by booting to a command line using the Windows installation disk and presssing Shift+F10, or by booting to Windows PE (WinPE: Create USB Bootable drive).
Add boot options for a Windows operating system.
Bcdboot D:\Windows
Reboot the PC. Now, the boot menu will show both menu options.
Let’s give permission to the file and check if that helps. Follow these steps to give permission to the drive.
Right-click on the file which you’re unable to access and select Properties.
Click on the ‘Security’ tab and under ‘Group or user names’ click on ‘Edit’.
Click on ‘Add’ and type ‘everyone’.
Click on ‘Check names’ and then click ‘OK’.
Select ‘everyone’ and under ‘Allow’ select ‘Full control’ and click
on ‘Apply’ and Click ‘Ok’.
Hope this helps.
I have a Delphi 6 program that for most users installs fine while running under a user account without admin privileges. However, on some systems it triggers a request for admin rights. Unfortunately mine isn't one of them so it's hard for me to diagnose this problem. I use InnoSetup 5.1.9 to build my install programs.
How can I figure out what I need to change about my installation program's configuration to neutralize the need for admin rights on some people's systems? It's causing trouble for my system because during installation, certain program data files are being copied into the admin account's application data folder. Then when my program is launched under a user account, those files can not be found since they are not in the user account application folder, where they are expected to be.
This happens due to default PrivilegesRequired directive value, which is, by default configured to require administrator elevation. If you don't need this, simply change in your InnoSetup script, value of this directive explicitly to something like this:
[Script]
PrivilegesRequired=lowest
From the reference:
When PrivilegesRequired is set to lowest, Setup will not request to be
run administrative privileges even if it was started by a member of
the Administrators group. Additionally, the uninstall info root key
will always be HKEY_CURRENT_USER, and the "common" forms of the Shell
Folder constants are mapped to the "user" forms, even if
administrative privileges are available.
I need to forbid to uninstall an application (not a service!) by a user w/o some special rights. How to do this? installation will be done by domain administrator
thanks for your time
[EDIT] also I need to prevent removing the application from windows startup
[EDIT1] to clarify: application is simple and is installed in its folder and added to windows startup (actually to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry). What I need exactly is to forbid to remove this folder and this registry key, for ordinal users, not for local admins.
[updated]
the file location is easy. That is simple revoking write permission on the folder and all its subfolders and files for Builtin\Users, and giving Builtin\Administrators full permmision. You can set this via the Explorer, properties-> permissions or commandline wise with cacls (or icalcs if you're on win7)
The regkey is on my win7 box already only readable (not writeable) by Users and read/write by local admins (regedit -> Context menu -> Persmissions).
If it still doesn't behave like you want figure out what groups a normal user is in (also domain groups) and then check how those groups are propagated to the local machine.
And as sugested by Ben in the comments, you might start a new question on Server Fault.
[end update]
[before edite response]
I doubt you can disallow the uninstall of 'one' application. By means of a Group Policy you can "Pohibit removal of updates"
(in GPedit.msc under Computer Config/Admin templates/windows components/windows installer)
The Group Policy is set by a domain admin and is enforced across the domain so it doesn't require 'persmissions'. But you need off course to also prevent local admins from editing the local group policy.
Another more daunting option would be to use a group policy in the Software Rectriction part of Security Settings. Here you can enter a path policy for the name of the msi or exe file that you do not want to be run.
Both require validating/testing to prevent that to much restriction prevent everybody from starting anything...
If an application requires administrative rights to be installed, then non-administrators will not have permission to remove it.
If the users have local administrative rights, then you can't prevent anything.
We have an application that programmatically maps network drives. On Vista with UAC on, we get some strange issues.
Our application maps the drive non-elevated, so if the user browses explorer and double clicks to run an exe, it prompts for UAC. So when they approve it, it prompts for a username/password for the share... Strange since the credentials are saved.
It turns out, an elevated process cannot access a mapped drive that was mapped from a non-elevated process.
To see this issue in action, do the following steps:
Run cmd.exe with no UAC
Run "net use w: \yourHostname\yourShare /user:yourUser yourPassword /persistent:yes"
Run cmd.exe as Administrator
Type "w:", and see the error message
At this point you can run plain "net use" and see the connection on the elevated cmd is Unavailable but the other non-elevated cmd sees it as OK.
Does anyone know a workaround to fix this issue? or maybe a way to map a network drive to "All Users"?
This is by design.
Even though the user account is the same, with the elevated version having a token with membership in the administrator group and addition privileges, the tokens are created independently and thus have different LUID's and appear to the kernel to be from different user logons. Since they are from different logons, mapped drives are not shared between them.
http://blogs.msdn.com/cjacks/archive/2007/02/19/mapped-network-drives-with-uac-on-windows-vista.aspx discusses this in additional detail.
Check out this link: Regedit Link
They describe a registry key that allows elevated users to access mapped drives and vice versa. This solves all my issues and was exactly what I was looking for.
EDIT:
The original link is dead, but here's the text as copied from the Jan 24, 2009 snapshot at www.archive.org:
If you are finding that you don't have access to mapped drives from your admin token try the following. When running as a protected admin you have two tokens and this key will maintain the connection for both tokes (that is my understanding anyway). It can also help to clear up issues with Login scripts.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections =(dword)1
Also of use is the "'Group Policy Scripts can fail due to User Account Control" section of this doc.
http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx?mfr=true
I will be posting more information on this soon.