Friday, February 16, 2007

User Account Control

If you're running Vista and you are logged on with an Administrator account (but not the Administrator account) and you double click on the Personal Edition of User Profile Wizard, Vista will darken ominously and throw up the following User Account Control prompt:

Whaddaya mean IF you started this program? You mean you don't know? Your supposed to be a ten billion dollar Operating System for crying out loud!

Now let me say right away that User Account Control (UAC) is a good thing. I'm as guilty as the next Tech of running with permanent Administrator permissions, so the additional level of security that UAC provides is only to be welcomed. However, I'm not convinced by the way Vista implements it.

If you are not logged on with an Administrator account, UAC makes more sense. When you run an application that requires Administrator credentials, you are prompted to enter those credentials.

If you are logged on with the Administrator account, then you are not prompted at all. The same goes if you are logged on with the Domain Administrator account - although again, not just any Domain Admin account, which makes me think that UAC might just be looking for the Administrator RID in the user SID. (In other words, a SID that ends in 500.)

If you are logged on with a different Administrator account UAC makes a lot less sense. Take what happens when you right-click on a program or shortcut and select "Run as Administrator." What happens is that you get the exact same If you started this program, continue message. This is crazy. If the purpose of UAC is notify you when you need elevated permissions, why prompt you for what you've just explicitly requested?

Deleting files from a folder where you "only" have access via membership of the Administrators group is a real mess. Once you hit the delete key you get the normal confirmation "Are you sure you want to move these items to the recycle bin?" dialog box. Click Yes, and you are presented with a "Destination Folder Access Denied" dialog box asking you to confirm the operation. When you click "Continue" UAC kicks in, the screen darkens, and you see the UAC dialog saying "Windows needs your permission to continue." Click "Continue" again, and you get the "Are you sure you want to move these items to the recycle bin?" dialog box AGAIN. I defy anyone to tell me that this is a well thought out software design.

On OS X things are, as ever, slightly different. For example, changing the Mac's power saving options requires Admin permissions. Even if you are logged in with an Admin account, you still have to go through a second level of authentication to make the changes: first by clicking on the padlock:

Then by re-entering your credentials:

Is this a better solution? I'm not sure, but it does seem less disruptive than pausing the entire desktop.

Odd as it may seem, given that Vista took five years to develop, it is difficult not to conclude that UAC hasn't had enough development time. Anyone who tested the different Vista Betas will know that UAC went through many changes: Vista's release may well have just come too early for UAC to be the finished article.

However, we've got the UAC we've got, so we have to get on with it. As developers of administrative utilities it does provide us with a challenge. Vista allows developers to mark their applications (via the application manifest) with one of three execution levels:

  • asInvoker - The application runs with the same token as the parent process. (No UAC prompt.)
  • highestAvailable -The application runs with the highest privileges the current user can obtain. (No UAC prompt.)
  • requireAdministrator - The application runs only for administrators and requires that the application be launched with the full token of an administrator. (UAC prompt.)

One of the features of the Corporate Edition of the Wizard is that you can provide the name of local administrator account and an encrypted password on the command line so that the Wizard can be started from the security context of a standard user account; for example, from a user's logon script. Marking User Profile Wizard with "requireAdministrator" won't work. If we did that, when the Wizard was called from the user's logon script they would be prompted to enter Administrator credentials. Not good. So we have to mark User Profile Wizard to run with the "asInvoker" execution level. This is fine, but it does mean that we have to handle the situation where the Wizard is run in GUI mode or where no Administrator credentials are passed on the command line. Generally, we just throw up a warning:

However, where User Profile Wizard is installed from the setup program, we can do something else. If you right-click an executable on Vista, choose Properties, and then click on the "Compatibility" tab, you have the option of setting the privilege level to run as Administrator. If you check the box, Vista writes the file path to the HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers registry key with the value "RUNASADMIN." This is what the User Profile Wizard Corporate Edition Installer does. It means that when you start the Wizard from the Start menu, Vista runs it with elevated privileges.

So every thing's fine, right? Er... no. Let's rewind to where we wanted to run User Profile Wizard using the Administrator credentials on the command line. If we just use any Administrator account, what's going to happen? Well, we're going to see the UAC prompt at the top of this post all over again.

Under the covers, User Profile Wizard uses the CreateProcessWithLogonW Windows API function, which in turn relies on the "Secondary Logon" Service. CreateProcessWithLogonW requires that you specify a valid username and password, so - again - why the UAC prompt?

My guess is that it will be a while before any of our customers will be doing a major domain migration of Vista workstations. However, for the record, to avoid the UAC prompt when running User Profile Wizard from the command line on Windows Vista, you have a number of options. Firstly, you can specify the actual local Administrator account. Secondly, you can run the Wizard from a management application like SMS, Marimba, or ZENworks. Thirdly, if the machine is already joined to a domain, you can run User Profile Wizard from a script via a Group Policy. Finally, there is a fourth option: but I'll keep that for another post.

Labels: , ,


Post a Comment

<< Home