User Account Control

If you're running Vista and you are logged on with an Administrator account (but not the Administrator account) and you double click on the Personal Edition of User Profile Wizard, Vista will darken ominously and throw up the following User Account Control prompt:














Whaddaya mean IF you started this program? You mean you don't know? Your supposed to be a ten billion dollar Operating System for crying out loud!

Now let me say right away that User Account Control (UAC) is a good thing. I'm as guilty as the next Tech of running with permanent Administrator permissions, so the additional level of security that UAC provides is only to be welcomed. However, I'm not convinced by the way Vista implements it.

If you are not logged on with an Administrator account, UAC makes more sense. When you run an application that requires Administrator credentials, you are prompted to enter those credentials.



If you are logged on with the Administrator account, then you are not prompted at all. The same goes if you are logged on with the Domain Administrator account - although again, not just any Domain Admin account, which makes me think that UAC might just be looking for the Administrator RID in the user SID. (In other words, a SID that ends in 500.)

If you are logged on with a different Administrator account UAC makes a lot less sense. Take what happens when you right-click on a program or shortcut and select "Run as Administrator." What happens is that you get the exact same If you started this program, continue message. This is crazy. If the purpose of UAC is notify you when you need elevated permissions, why prompt you for what you've just explicitly requested?

Deleting files from a folder where you "only" have access via membership of the Administrators group is a real mess. Once you hit the delete key you get the normal confirmation "Are you sure you want to move these items to the recycle bin?" dialog box. Click Yes, and you are presented with a "Destination Folder Access Denied" dialog box asking you to confirm the operation. When you click "Continue" UAC kicks in, the screen darkens, and you see the UAC dialog saying "Windows needs your permission to continue." Click "Continue" again, and you get the "Are you sure you want to move these items to the recycle bin?" dialog box AGAIN. I defy anyone to tell me that this is a well thought out software design.

On OS X things are, as ever, slightly different. For example, changing the Mac's power saving options requires Admin permissions. Even if you are logged in with an Admin account, you still have to go through a second level of authentication to make the changes: first by clicking on the padlock:

Then by re-entering your credentials:


Is this a better solution? I'm not sure, but it does seem less disruptive than pausing the entire desktop.

Odd as it may seem, given that Vista took five years to develop, it is difficult not to conclude that UAC hasn't had enough development time. Anyone who tested the different Vista Betas will know that UAC went through many changes: Vista's release may well have just come too early for UAC to be the finished article.

However, we've got the UAC we've got, so we have to get on with it. As developers of administrative utilities it does provide us with a challenge. Vista allows developers to mark their applications (via the application manifest) with one of three execution levels:

• asInvoker - The application runs with the same token as the parent process. (No UAC prompt.)
• highestAvailable -The application runs with the highest privileges the current user can obtain. (No UAC prompt.)
• requireAdministrator - The application runs only for administrators and requires that the application be launched with the full token of an administrator. (UAC prompt.)

One of the features of the Corporate Edition of the Wizard is that you can provide the name of local administrator account and an encrypted password on the command line so that the Wizard can be started from the security context of a standard user account; for example, from a user's logon script. Marking User Profile Wizard with "requireAdministrator" won't work. If we did that, when the Wizard was called from the user's logon script they would be prompted to enter Administrator credentials. Not good. So we have to mark User Profile Wizard to run with the "asInvoker" execution level. This is fine, but it does mean that we have to handle the situation where the Wizard is run in GUI mode or where no Administrator credentials are passed on the command line. Generally, we just throw up a warning:

However, where User Profile Wizard is installed from the setup program, we can do something else. If you right-click an executable on Vista, choose Properties, and then click on the "Compatibility" tab, you have the option of setting the privilege level to run as Administrator. If you check the box, Vista writes the file path to the HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers registry key with the value "RUNASADMIN." This is what the User Profile Wizard Corporate Edition Installer does. It means that when you start the Wizard from the Start menu, Vista runs it with elevated privileges.

So every thing's fine, right? Er... no. Let's rewind to where we wanted to run User Profile Wizard using the Administrator credentials on the command line. If we just use any Administrator account, what's going to happen? Well, we're going to see the UAC prompt at the top of this post all over again.

Under the covers, User Profile Wizard uses the CreateProcessWithLogonW Windows API function, which in turn relies on the "Secondary Logon" Service. CreateProcessWithLogonW requires that you specify a valid username and password, so - again - why the UAC prompt?

My guess is that it will be a while before any of our customers will be doing a major domain migration of Vista workstations. However, for the record, to avoid the UAC prompt when running User Profile Wizard from the command line on Windows Vista, you have a number of options. Firstly, you can specify the actual local Administrator account. Secondly, you can run the Wizard from a management application like SMS, Marimba, or ZENworks. Thirdly, if the machine is already joined to a domain, you can run User Profile Wizard from a script via a Group Policy. Finally, there is a fourth option: but I'll keep that for another post.

Wow! Is Vista really a $10bn Sedan?

So, what do you think of Vista? The reviews of Vista I've seen usually start with how good it looks - which is understandable. It does look good - especially if you can run the Aero desktop and you get the glass title bars and Flip 3D.

Ok, Flip 3D is a bit of a gimmick. But it does put the "Wow" in The "Wow" starts now and shows up in just about all of Microsoft's marketing. For anyone who doesn't know, Flip 3D is the updated task switcher - what you get when you hit alt+tab. (To get the 3D version you winkey + tab instead.) That's right... the task switcher.

Flip 3D gives a glimpse of what a 3D User Interface might look like. Don't be fooled by the marketing though: Vista is not it. What's more, there no indication that Microsoft are pursuing any such radical redevelopment of the Windows User Interface. It wasn't always that way. Flip 3D is the impoverished descendant of an illustrious ancestor: the Microsoft Research TaskGallery project. The ghost of TaskGallery still haunts their website here. Anyone interested should read this article on The Register website dated 22nd January 2001 entitled Windows to go 3D… but not in Whistler. (Whistler was the codename for XP if, like me, you're hazy on Windows code names.)

The User Interface on Windows, on OS X, on Linux, on Solaris, is defined by the same desktop model that was developed by Xerox at PARC 30 years ago. Why is that? Familiarity, certainly, but you would think someone somewhere would take the desktop model on. Aren't there hundreds of millions of people around the world just as familiar with the 3D "User Interface" of the first-person shooter? User Interface development isn't simply about making computers easier and more intuitive to use. The User Interface defines not just how you do things, but what you can do.

Vista is far less radical than, say, Windows 95 was when it was launched. It might be hard to believe now, but Windows 95 was genuinely innovative; it brought 32bit computing and preemptive multitasking into the mainstream, allowing you to run multiple applications at the same time. Admittedly it took a while for processor speeds and memory sizes to reach a level where running multiple applications was easy, but the possibility was there in the Operating System. Windows 95 changed what you could do with a Personal Computer.

Perhaps we've reached the point where Operating Systems have become like cars: each new model does the same basic job that the previous model did, except just a bit more efficiently. Here in the UK, the car maker Audi is showing a TV ad which ends with the line, "To date, NASA have filed 6,509 patents. To get to the A6, Audi have filed 9,621 patents." And? They've built a car. It does the things cars do: start, stop, get stuck in traffic, that kind of stuff. If we have reached the point where Operating Systems have become like cars, it isn't because there's no other choice.

At the UK business launch of Vista, Microsoft's UK managing director Gordon Frazer said Vista cost $10bn to develop. Let me just spell that out for you: 10,000,000,000 dollars. Now if I gave you $10bn (and the source code for XP) and told you to go away and design an Operating System, is Vista what you would come back with? If you start Vista and go to the "Welcome Centre" and then click on "What's new in Windows Vista" what is it that Microsoft themselves want to tell us? The top three are Search from within folders. Organize files in new ways. Keep devices in sync. Is that what they mean by Wow?

There's probably a serious point to be made about competition here - or the lack of it. It's not that (near) monopoly suppliers don't invest in developing their products; it is more that they don't know what to invest in. AMD and Intel are a good example. If it wasn't for AMD we wouldn't have multi-core 64bit processors on the desktop, and Intel would be spending even more millions still trying to perfect Itanium, the processor no one wants. With Linux suppliers desperately trying to make the Linux desktop look as much like Windows as possible (otherwise, the argument goes, no one will switch - when the opposite is more likely to be true - there's no reason to switch) there is little competition to drive innovation.

This is not to say that Vista is a bad operating system - far from it. Vista is a seriously good operating system. It's just that it is a deeply conservative, risk adverse, play-it-safe operating system. Vista doesn't change anything.

One of the things both users and developers have to get used to in Vista is User Account Control (UAC). Next time I'll go into the changes we're making in User Profile Wizard to handle it.

Fixing Temporary Profiles and User Profile Wizard 2.5

One of the best things about User Profile Wizard is that it is extremely reliable. At ForensiT we spend quite a lot of time helping customers get their migration scripts right, but once everything is working it tends to stay working. There is however, one support question that keeps coming back to haunt us. What is even more frustrating is that it isn't even our problem.

A typical support call will begin like this:

I used your User Profile Wizard tool to migrate my workstations to a new domain a few months ago, and at the time everything went great. Recently, however, several users have tried to login to their workstations and they receive an error message stating that the profile is corrupt (or something) and Windows loads a temporary profile.

What the user seeing is this:

It's that phrase "corrupt local profile" that is really scary. (Users tend to skip over the "Possible causes of this error..." part, and just read that.) If the user then clicks "OK" they get this message:

The good news is that the profile is not corrupt. If we check the computer's Application Event Log we can see the following error:

In this case, salvation is in the DETAIL: "The process cannot access the file because it is being used by another process..." The file in question is ntuser.dat - the file that holds the registry part of the user's profile; which is to say, the data that you see under HKEY_CURRENT_USER if you run regedit when the user is logged on. So what's going on?

Here's the deal: Windows cannot load the same profile twice. Windows cannot load the profile here, because it is already loaded for someone else.

How could that be? One possibility is that the profile has already been loaded by a process, such as a Service, which uses the credentials of an account that shares the user profile of the user who is trying to log in. To get the screenshots above, I changed the configuration of the WMI Performance Adapter Service on a test machine so that it logged on with the local Administrator account:

I then ran User Profile Wizard so that my account would share the profile of the local Administrator account, and then I tried to logon...

We do sometimes see the "cannot load profile" error caused in this way - but not often. Usually the problem occurs because the user has logged on with, say, their local account, logged off and then logged on again with their domain account - which just happens to share the same profile as their local account. In theory this shouldn't be a problem: when the user logs off, Windows should unload their profile so that if they logon with a different account that uses the same profile it won't be "being used by another process." Often - usually - that's the case. Unfortuantely, it doesn't always work that way.

This is such a common problem that there is even a Microsoft Knowledge Base article on the subject. You can find it here: http://support.microsoft.com/default.aspx?scid=kb;en-us;837115

The article states:

This issue may occur if Microsoft Windows or third-party programs such as printer drivers or virus scanners do not stop and release resources when you log off your computer.

The fix given is to install the Microsoft User Profile Hive Cleanup Service (UPHClean) . Unfortuantely, although this works in many cases, some customers report that it does not. What's more, you shouldn't really need to install a new piece of software if all you want to do is migrate a user's workstation - and the user's profile - to a new domain.

So what to do? What we've done in User Profile Wizard 2.5 is simply to have the Wizard not share the profile (by default.) So, for example, say you have to migrate a machine from Novell NDS to Active Directory. You run User Profile Wizard to join the machine to the new domain and migrate the user's existing local account profile so that it can be used by their new domain account. By default, once User Profile Wizard 2.5 has completed the migration it will break the link between the original local user account and the original profile. When the user logs on with their new domain account, they get the profile they have always had. If however, they logon with their original local account Windows will create a new profile for the local account.

If you want to continue to share the profile, so that it is used by both accounts, you must check the "Share Profile" check box:

Running from the command line, you need to use the /NOREMOVE switch. Be aware, however, that some piece of software on the machine might cause you to get the temporary profile error.

User Profile Wizard is essentially a migration tool. If a profile needs to be used regularly by more than one user account, you should be looking at User Profile Manager. Windows cannot load the same profile twice, but User Profile Manager can.

That's it for this post. Next time I'll discuss some of the features of Vista, and the changes we've had to make to User Profile Wizard.