Discussion:
Sept. patches changed UAC?
Hammer, Erich F
2014-10-16 18:40:58 UTC
Permalink
All,

I'm pretty new here, so if this is too far off topic, please let me know. It's not about *managing* patches, but it is about the probable effect(s) of a patch(es) that have been deployed (and hoping someone knows which one).

Ever since I have rebooted each of my Win7, administrative workstations -- the first one last week for the first time since the September updates -- I'm experiencing a problem related to running utilities as other AD accounts. These are not actions a "normal" user would see, and probably many sysadmins won't notice either (depending on their setups). This is really hampering my ability to administrate (AD, GPOs, SCCM, etc.).

Background: As a best practice, my "user" AD account not an admin on my computers and neither is my "sysadmin" account with additional (but not domain admin) rights to AD, servers, etc.. I've been perfectly functional for many years this way (XP required some tricks, but Vista/Win7 worked great). Apps/MMCs that made local, system changes I would run under a local admin account. Utilities that manage server/domain-type setting/services could be run under the appropriate account (usually sysadmin) with a simple Run as Administrator selection.

Symptoms: At first, my management utility shortcuts did not ask for credentials. They just opened under my user credentials with which I logged in. Strangely, the "run as admin" checkbox was cleared. Fixing that or if I right-click and choose run-as administrator, I am prompted for credentials and then stopped with a window popping up with the message "The requested operation requires elevation."

I can still open things with domain admin credentials, but that is only useful for some operations (and not too safe either). I can still use local admin creds (for local things). I would like to avoid giving local admin rights to my domain-based, sysadmin account.

I'm not having any luck searching on this (mostly finding "how to disable UAC" which is locked on via GPO). Does anyone here have any ideas what changed and which patch may be the cause? Has anyone else even noticed this problem?

Thanks,
Erich

--
erich-8+1tKT+***@public.gmane.org CAS Computing Services
518-442-2651 University @ Albany

"The way to see by faith is
to shut the eye of reason." -- Benjamin Franklin
Daniel Ratliff
2014-10-16 19:13:24 UTC
Permalink
Run RSOP.msc and check out the Local Security settings for UAC. Verify if GPO is still being applied and what settings it is setting.



[cid:image001.png-gbKlLFdEHCEvLJY+***@public.gmane.org]



Daniel Ratliff





-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: Thursday, October 16, 2014 2:41 PM
To: Patch Management Mailing List
Subject: [patchmanagement] Sept. patches changed UAC?



All,



I'm pretty new here, so if this is too far off topic, please let me know. It's not about *managing* patches, but it is about the probable effect(s) of a patch(es) that have been deployed (and hoping someone knows which one).



Ever since I have rebooted each of my Win7, administrative workstations -- the first one last week for the first time since the September updates -- I'm experiencing a problem related to running utilities as other AD accounts. These are not actions a "normal" user would see, and probably many sysadmins won't notice either (depending on their setups). This is really hampering my ability to administrate (AD, GPOs, SCCM, etc.).



Background: As a best practice, my "user" AD account not an admin on my computers and neither is my "sysadmin" account with additional (but not domain admin) rights to AD, servers, etc.. I've been perfectly functional for many years this way (XP required some tricks, but Vista/Win7 worked great). Apps/MMCs that made local, system changes I would run under a local admin account. Utilities that manage server/domain-type setting/services could be run under the appropriate account (usually sysadmin) with a simple Run as Administrator selection.



Symptoms: At first, my management utility shortcuts did not ask for credentials. They just opened under my user credentials with which I logged in. Strangely, the "run as admin" checkbox was cleared. Fixing that or if I right-click and choose run-as administrator, I am prompted for credentials and then stopped with a window popping up with the message "The requested operation requires elevation."



I can still open things with domain admin credentials, but that is only useful for some operations (and not too safe either). I can still use local admin creds (for local things). I would like to avoid giving local admin rights to my domain-based, sysadmin account.



I'm not having any luck searching on this (mostly finding "how to disable UAC" which is locked on via GPO). Does anyone here have any ideas what changed and which patch may be the cause? Has anyone else even noticed this problem?



Thanks,

Erich



--

erich-8+1tKT+***@public.gmane.org<mailto:erich-8+1tKT+***@public.gmane.org> CAS Computing Services

518-442-2651 University @ Albany



"The way to see by faith is

to shut the eye of reason." -- Benjamin Franklin



---

PatchManagement.org is hosted by Shavlik



The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.



To unsubscribe send a blank email to leave-***@patchmanagement.org<mailto:leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org>

If you are unable to unsubscribe via this email address, please email owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org<mailto:owner-***@patchmanagement.org>



The information transmitted is intended only for the person or entity to which it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information in error,
please contact the sender and delete or destroy the material/information.
---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Hammer, Erich F
2014-10-16 21:21:03 UTC
Permalink
Daniel,

Thanks for responding. Every thing looks good GPO-wise.

My two administrative systems are in two different domains, with only the baseline security GPO (unchanged in a year) in common. The primary system is tweaked some, but the other is pretty bare-bones (except for RSAT and admin utilities) and used far less often.

The primary system encountered the change when I rebooted last week with the Sept. patches pending. I was attributing the problems to needing to rebuild until I the same problem cropped up on the bare-bones, secondary system. I was using that one as a backup until I had a chance to re-build my primary, and as of yesterday, it worked as they have for years: Double-click on shortcut, enter credentials, done.

I noticed that the secondary system also needed to reboot from the September updates, so I did. Bang! The same problem as the first: Double-click on shortcut, program opens under logged-in credentials. Strange. Checked shortcut, and "Run as Administrator" was unchecked. Fixed that. Double-click on shortcut, enter credentials and get a "The requested operation requires elevation" window. If the shortcut was pinned to the taskbar, upon closing that window, another appears with "Can't open this item. It might have been moved, renamed, or deleted. Do you want to remove this item?" These are for shortcuts pointing to public files.

I have discovered that I can shift-right-click on desktop icons and use "Run as different user..." and that works. The only difference I know between that and "Run as Administrator" is the latter uses elevation. I don't care if I run elevated for non-local changes, but there isn't an easy toggle for a shortcut to always "Run as different user".

Because of all the differences between the systems and the only (obvious) similarity in the appearance of the symptom, I am concluding that the Sept. updates must have been the cause of the change in how elevation works.

Thanks,
Erich



> -----Original Message-----
> From: Daniel Ratliff [mailto:dratliff-Ex0PBsXY+q/QT0dZR+***@public.gmane.org]
> Sent: Thursday, October 16, 2014 3:13 PM
> To: Patch Management Mailing List
> Subject: RE:[patchmanagement] Sept. patches changed UAC?
>
> Run RSOP.msc and check out the Local Security settings for UAC. Verify if
> GPO is still being applied and what settings it is setting.
>
>
>
>
>
>
>
> Daniel Ratliff
>
>
>
>
>
> -----Original Message-----
> From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
> Sent: Thursday, October 16, 2014 2:41 PM
> To: Patch Management Mailing List
> Subject: [patchmanagement] Sept. patches changed UAC?
>
>
>
> All,
>
>
>
> I'm pretty new here, so if this is too far off topic, please let me know. It's not
> about *managing* patches, but it is about the probable effect(s) of a
> patch(es) that have been deployed (and hoping someone knows which one).
>
>
>
> Ever since I have rebooted each of my Win7, administrative workstations --
> the first one last week for the first time since the September updates -- I'm
> experiencing a problem related to running utilities as other AD accounts.
> These are not actions a "normal" user would see, and probably many
> sysadmins won't notice either (depending on their setups). This is really
> hampering my ability to administrate (AD, GPOs, SCCM, etc.).
>
>
>
> Background: As a best practice, my "user" AD account not an admin on my
> computers and neither is my "sysadmin" account with additional (but not
> domain admin) rights to AD, servers, etc.. I've been perfectly functional for
> many years this way (XP required some tricks, but Vista/Win7 worked great).
> Apps/MMCs that made local, system changes I would run under a local admin
> account. Utilities that manage server/domain-type setting/services could be
> run under the appropriate account (usually sysadmin) with a simple Run as
> Administrator selection.
>
>
>
> Symptoms: At first, my management utility shortcuts did not ask for
> credentials. They just opened under my user credentials with which I logged
> in. Strangely, the "run as admin" checkbox was cleared. Fixing that or if I
> right-click and choose run-as administrator, I am prompted for credentials
> and then stopped with a window popping up with the message "The
> requested operation requires elevation."
>
>
>
> I can still open things with domain admin credentials, but that is only useful
> for some operations (and not too safe either). I can still use local admin creds
> (for local things). I would like to avoid giving local admin rights to my domain-
> based, sysadmin account.
>
>
>
> I'm not having any luck searching on this (mostly finding "how to disable
> UAC" which is locked on via GPO). Does anyone here have any ideas what
> changed and which patch may be the cause? Has anyone else even noticed
> this problem?
>
>
>
> Thanks,
>
> Erich
>
>
>
> --
>
> erich-8+1tKT+***@public.gmane.org <mailto:erich-8+1tKT+***@public.gmane.org> CAS Computing Services
>
> 518-442-2651 University @ Albany
>
>
>
> "The way to see by faith is
>
> to shut the eye of reason." -- Benjamin Franklin
>
>
>
> ---
>
> PatchManagement.org is hosted by Shavlik
>
>
>
> The content on the email list is intended for assisting administrators. If you
> would like to use any of this content in a blog or media publication, please
> contact the owners of the list for approval.
>
>
>
> To unsubscribe send a blank email to leave-
> patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org <mailto:leave-
> patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org>
>
> If you are unable to unsubscribe via this email address, please email owner-
> patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org <mailto:owner-
> patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org>
>
>
>
>
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain CONFIDENTIAL material. If you receive
> this material/information in error, please contact the sender and delete or
> destroy the material/information.
Shawn K. Hall
2014-10-16 22:19:49 UTC
Permalink
> ...as of yesterday, it worked as they have for
> years: Double-click on shortcut, enter credentials, done.

If you're using a consistent user account for administration of
individual applications, you can change the shortcuts to them to pass
through runas, as so:

runas /profile /user:user-***@public.gmane.org "S:\tool.exe"

You'll be prompted for authentication as you were before.

-Shawn
Hammer, Erich F
2014-10-17 12:45:19 UTC
Permalink
On Thursday, October 16, 2014 at 18:19, Shawn Hall eloquently inscribed:

>> ...as of yesterday, it worked as they have for
>> years: Double-click on shortcut, enter credentials, done.
>
> runas /profile /user:user-***@public.gmane.org "S:\tool.exe"
>
> You'll be prompted for authentication as you were before.

True, I am prompted, but then I get:

740: The requested operation requires elevation.

So, is nobody else experiencing this? Is that because you are logged in as administrators, your everyday user accounts are sysadmins or because only my machines are broken?

Thanks.
Julian Harper
2014-10-17 13:41:17 UTC
Permalink
I can't see a patch breaking UAC, if it had we would have heard about it.

Most likely something else has changed which has prompted this.

Julian Harper
IT Manager
Laytons Wine Services Ltd
 

-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: 17 October 2014 13:45
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Thursday, October 16, 2014 at 18:19, Shawn Hall eloquently inscribed:

>> ...as of yesterday, it worked as they have for
>> years: Double-click on shortcut, enter credentials, done.
>
> runas /profile /user:user-***@public.gmane.org "S:\tool.exe"
>
> You'll be prompted for authentication as you were before.

True, I am prompted, but then I get:

740: The requested operation requires elevation.

So, is nobody else experiencing this? Is that because you are logged in as administrators, your everyday user accounts are sysadmins or because only my machines are broken?

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Michael Cramer
2014-10-17 13:43:56 UTC
Permalink
To be blunt?

Your machines are broken. I have separate privileged accounts and machines and have no issues.

Sent from my iPhone

> On Oct 17, 2014, at 09:38, Hammer, Erich F <erich-8+1tKT+***@public.gmane.org> wrote:
>
> On Thursday, October 16, 2014 at 18:19, Shawn Hall eloquently inscribed:
>
>>> ...as of yesterday, it worked as they have for
>>> years: Double-click on shortcut, enter credentials, done.
>>
>> runas /profile /user:user-***@public.gmane.org "S:\tool.exe"
>>
>> You'll be prompted for authentication as you were before.
>
> True, I am prompted, but then I get:
>
> 740: The requested operation requires elevation.
>
> So, is nobody else experiencing this? Is that because you are logged in as administrators, your everyday user accounts are sysadmins or because only my machines are broken?
>
> Thanks.
>
> ---
> PatchManagement.org is hosted by Shavlik
>
> The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.
>
> To unsubscribe send a blank email to leave-***@patchmanagement.org
> If you are unable to unsubscribe via this email address, please email
> owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
>
Hammer, Erich F
2014-10-17 17:51:25 UTC
Permalink
On Friday, October 17, 2014 at 09:43, Michael Cramer eloquently inscribed:

> To be blunt?
>
> Your machines are broken. I have separate privileged accounts and machines
> and have no issues.

I'm a bit incredulous (and I'm in the process of testing with a fresh install), but that is an acceptable answer.

Just to be clear, your separate, privileged accounts do not have admin rights on your local machines?

Thanks,
Erich
Austin Macdade
2014-10-17 14:10:32 UTC
Permalink
You can use a powershell script to run the tool, and it doesn't require elevation:

Start-Process -FilePath "C:\Windows\notepad.exe" -Credential (Get-Credential)

From:
http://superuser.com/questions/379120/how-to-prompt-a-user-for-run-as-credentials-when-double-clicking-an-icon


-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: Friday, October 17, 2014 8:45 AM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Thursday, October 16, 2014 at 18:19, Shawn Hall eloquently inscribed:

>> ...as of yesterday, it worked as they have for
>> years: Double-click on shortcut, enter credentials, done.
>
> runas /profile /user:user-***@public.gmane.org "S:\tool.exe"
>
> You'll be prompted for authentication as you were before.

True, I am prompted, but then I get:

740: The requested operation requires elevation.

So, is nobody else experiencing this? Is that because you are logged in as administrators, your everyday user accounts are sysadmins or because only my machines are broken?

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Hammer, Erich F
2014-10-17 18:12:36 UTC
Permalink
On Friday, October 17, 2014 at 10:10, Austin Macdade eloquently inscribed:

> You can use a powershell script to run the tool, and it doesn't require
> elevation:
>
> Start-Process -FilePath "C:\Windows\notepad.exe" -Credential (Get-
> Credential)
>

It doesn't require elevation for "normal" executables, but it does for admin tools (mmc.exe, etc.).

Also, this starts fine:

Start-Process gpmc.msc

but this:

Start-Process gpmc.msc -Credential (get-credential)

Returns the error: This command cannot be executed because the input "gpmc.msc" is an Invalid Application.

And this:

Start-Process "C:\Windows\System32\mmc.exe" -argumentlist "C:\Temp\USERSA~1.MSC" -Credential (get-credential)

Returns: This command cannot be executed due to the error: The requested operation requires elevation.

It was a worthy suggestion though.

Erich
Hubbard, Brian
2014-10-17 18:25:40 UTC
Permalink
Erich,

Your machine might be broken. I have a separate, privileged account. Four fully patched test machines, two physical, two virtual, Win7 x86 and x64. Runas throws no errors for me. Hope this helps!

-brian

-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: Friday, 17 October 2014 13:13
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Friday, October 17, 2014 at 10:10, Austin Macdade eloquently inscribed:

> You can use a powershell script to run the tool, and it doesn't
> require
> elevation:
>
> Start-Process -FilePath "C:\Windows\notepad.exe" -Credential (Get-
> Credential)
>

It doesn't require elevation for "normal" executables, but it does for admin tools (mmc.exe, etc.).

Also, this starts fine:

Start-Process gpmc.msc

but this:

Start-Process gpmc.msc -Credential (get-credential)

Returns the error: This command cannot be executed because the input "gpmc.msc" is an Invalid Application.

And this:

Start-Process "C:\Windows\System32\mmc.exe" -argumentlist "C:\Temp\USERSA~1.MSC" -Credential (get-credential)

Returns: This command cannot be executed due to the error: The requested operation requires elevation.

It was a worthy suggestion though.

Erich


---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org


CONFIDENTIALITY NOTICE:
This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email reply.
Austin Macdade
2014-10-17 18:26:53 UTC
Permalink
I'd try using
Start-Process mmc.exe path-to-msc\gpmc.msc -Credential (get-credential)
Or
Start-Process mmc.exe -ArgumentList "path-to-msc\gpmc.msc" -Credential (get-credential)
http://technet.microsoft.com/en-us/library/cc757725(v=ws.10).aspx

-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: Friday, October 17, 2014 2:13 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Friday, October 17, 2014 at 10:10, Austin Macdade eloquently inscribed:

> You can use a powershell script to run the tool, and it doesn't
> require
> elevation:
>
> Start-Process -FilePath "C:\Windows\notepad.exe" -Credential (Get-
> Credential)
>

It doesn't require elevation for "normal" executables, but it does for admin tools (mmc.exe, etc.).

Also, this starts fine:

Start-Process gpmc.msc

but this:

Start-Process gpmc.msc -Credential (get-credential)

Returns the error: This command cannot be executed because the input "gpmc.msc" is an Invalid Application.

And this:

Start-Process "C:\Windows\System32\mmc.exe" -argumentlist "C:\Temp\USERSA~1.MSC" -Credential (get-credential)

Returns: This command cannot be executed due to the error: The requested operation requires elevation.

It was a worthy suggestion though.

Erich


---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Emin
2014-10-18 09:24:08 UTC
Permalink
Hi,
It's sometimes difficult to get it right with start-process.
What is the version of PowerShell that you're using? You can display it
with $PSVersionTable

I had also recently a problem with the way I start my console, tools on
Windows 8.1 with PowerShell 4.0
With an already elevated (Runas Admin) powershell console, I start another
elevated command prompt as another user like this:

Start-Process -FilePath
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Credential
(Get-Credential) -LoadUserProfile:$false -WindowStyle Normal -ArgumentList
' & { Start-Process -FilePath C:\Windows\system32\cmd.exe -Verb RunAs }'

Then I can type gpmc.msc in my newly opened console

On Fri, Oct 17, 2014 at 8:12 PM, Hammer, Erich F <erich-8+1tKT+***@public.gmane.org> wrote:

> On Friday, October 17, 2014 at 10:10, Austin Macdade eloquently inscribed:
>
> > You can use a powershell script to run the tool, and it doesn't require
> > elevation:
> >
> > Start-Process -FilePath "C:\Windows\notepad.exe" -Credential (Get-
> > Credential)
> >
>
> It doesn't require elevation for "normal" executables, but it does for
> admin tools (mmc.exe, etc.).
>
> Also, this starts fine:
>
> Start-Process gpmc.msc
>
> but this:
>
> Start-Process gpmc.msc -Credential (get-credential)
>
> Returns the error: This command cannot be executed because the input
> "gpmc.msc" is an Invalid Application.
>
> And this:
>
> Start-Process "C:\Windows\System32\mmc.exe" -argumentlist
> "C:\Temp\USERSA~1.MSC" -Credential (get-credential)
>
> Returns: This command cannot be executed due to the error: The requested
> operation requires elevation.
>
> It was a worthy suggestion though.
>
> Erich
>
>
> ---
> PatchManagement.org is hosted by Shavlik
>
> The content on the email list is intended for assisting administrators.
> If you would like to use any of this content in a blog or media
> publication, please contact the owners of the list for approval.
>
> To unsubscribe send a blank email to
> leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
> If you are unable to unsubscribe via this email address, please email
> owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
>
>

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Susan Bradley
2014-10-19 05:27:57 UTC
Permalink
Let's get more specific.

What application(s) are you attempting to do this runas with?

Or is this shortcuts to.... exactly what?

If we're trying to repro your exact setup, what are you runasing here?

On 10/18/2014 2:24 AM, Emin wrote:
> Hi,
> It's sometimes difficult to get it right with start-process.
> What is the version of PowerShell that you're using? You can display
> it with $PSVersionTable
>
> I had also recently a problem with the way I start my console, tools
> on Windows 8.1 with PowerShell 4.0
> With an already elevated (Runas Admin) powershell console, I start
> another elevated command prompt as another user like this:
>
> Start-Process -FilePath
> C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Credential
> (Get-Credential) -LoadUserProfile:$false -WindowStyle Normal
> -ArgumentList ' & { Start-Process -FilePath
> C:\Windows\system32\cmd.exe -Verb RunAs }'
>
> Then I can type gpmc.msc in my newly opened console
>
> On Fri, Oct 17, 2014 at 8:12 PM, Hammer, Erich F <erich-8+1tKT+***@public.gmane.org
> <mailto:erich-8+1tKT+***@public.gmane.org>> wrote:
>
> On Friday, October 17, 2014 at 10:10, Austin Macdade eloquently
> inscribed:
>
> > You can use a powershell script to run the tool, and it doesn't
> require
> > elevation:
> >
> > Start-Process -FilePath "C:\Windows\notepad.exe" -Credential (Get-
> > Credential)
> >
>
> It doesn't require elevation for "normal" executables, but it does
> for admin tools (mmc.exe, etc.).
>
> Also, this starts fine:
>
> Start-Process gpmc.msc
>
> but this:
>
> Start-Process gpmc.msc -Credential (get-credential)
>
> Returns the error: This command cannot be executed because the
> input "gpmc.msc" is an Invalid Application.
>
> And this:
>
> Start-Process "C:\Windows\System32\mmc.exe" -argumentlist
> "C:\Temp\USERSA~1.MSC" -Credential (get-credential)
>
> Returns: This command cannot be executed due to the error: The
> requested operation requires elevation.
>
> It was a worthy suggestion though.
>
> Erich
>
>
> ---
> PatchManagement.org is hosted by Shavlik
>
> The content on the email list is intended for assisting
> administrators. If you would like to use any of this content in a
> blog or media publication, please contact the owners of the list
> for approval.
>
> To unsubscribe send a blank email to
> leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
> <mailto:leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org>
> If you are unable to unsubscribe via this email address, please email
> owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
> <mailto:owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org>
>
>
Hammer, Erich F
2014-10-20 17:26:52 UTC
Permalink
On Sunday, October 19, 2014 at 01:27, Susan Bradley eloquently inscribed:

> Let's get more specific.
>
> What application(s) are you attempting to do this runas with?
>
> Or is this shortcuts to.... exactly what?
>

Only occasionally do I have a need to run PowerShell (v2 -- still) elevated:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

As I said in my first post, SCCM:
"C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe"

Another tool (which is great, btw) is SetACL Studio:
"C:\Program Files (x86)\SetACL Studio\SetACL Studio.exe"

The rest are various custom .MSCs which are all in the public profile:

"C:\Users\Public\Documents\Domain2.msc"

because the privileged account doesn't have access to my logged-in-user account's profile. I place/pin shortcuts (so I can use the "Run as Administrator..." checkbox) to the .MSCs on the taskbar/desktop.

Frustratingly, I dropped our standard image (current as of June) onto a machine and installed RSAT, and I'm seeing the same problem. No updates after June and no GPOs are applied. Maybe I've been hallucinating that this has been working since Vista? Although that would contradict those that say it still works.

I'm stumped. Since it now doesn't look like a patch thing, I will take this elsewhere. Sorry to bother everyone.

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patc
Eric Henson
2014-10-20 18:19:07 UTC
Permalink
You need to log at security settings/local policies/security options, all the options that start with "User Account Control:"

In particular, [one of] these two settings need to be set to "prompt for credentials":
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users

RSOP should tell you what GPO changes the behavior.

--
ERIC HENSON
Systems Solutions Architect
PFSweb  |  www.pfsweb.com
p:  972.881.2900  x3104
m: 972.948.3424


-----Original Message-----
From: Hammer, Erich F [mailto:***@albany.edu]
Sent: Monday, October 20, 2014 12:27 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Sunday, October 19, 2014 at 01:27, Susan Bradley eloquently inscribed:

> Let's get more specific.
>
> What application(s) are you attempting to do this runas with?
>
> Or is this shortcuts to.... exactly what?
>

Only occasionally do I have a need to run PowerShell (v2 -- still) elevated:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

As I said in my first post, SCCM:
"C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe"

Another tool (which is great, btw) is SetACL Studio:
"C:\Program Files (x86)\SetACL Studio\SetACL Studio.exe"

The rest are various custom .MSCs which are all in the public profile:

"C:\Users\Public\Documents\Domain2.msc"

because the privileged account doesn't have access to my logged-in-user account's profile. I place/pin shortcuts (so I can use the "Run as Administrator..." checkbox) to the .MSCs on the taskbar/desktop.

Frustratingly, I dropped our standard image (current as of June) onto a machine and installed RSAT, and I'm seeing the same problem. No updates after June and no GPOs are applied. Maybe I've been hallucinating that this has been working since Vista? Although that would contradict those that say it still works.

I'm stumped. Since it now doesn't look like a patch thing, I will take this elsewhere. Sorry to bother everyone.

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-***@patchmanagement.org
------------------------
This email was scanned by BitDefender.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagemen
Hammer, Erich F
2014-10-20 20:20:40 UTC
Permalink
On Monday, October 20, 2014 at 14:19, Eric Henson eloquently inscribed:

> You need to log at security settings/local policies/security options, all the
> options that start with "User Account Control:"
>
> In particular, [one of] these two settings need to be set to "prompt for
> credentials": User Account Control: Behavior of the elevation prompt for
> administrators in Admin Approval Mode User Account Control: Behavior of
> the elevation prompt for standard users
>
> RSOP should tell you what GPO changes the behavior.
>

Yep. That's the first place I checked. All admins get prompted for consent and standard users get prompted for credentials. That is the default on our generic image and is enforced via baseline security GPO.

And it does prompt me, but it then fails (when run under a standard user account other than the one I'm logged in as) claiming it requires elevation. IOW, I can open GPMC.msc under my standard, user account, but not under the account (which is also NOT a local admin) with rights to actually edit any GPOs (while logged into the workstation as my user account). This is what has changed (or I'm hallucinating).

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
ow
Charles F Sullivan
2014-10-20 20:39:11 UTC
Permalink
I can't reproduce your problem. What happens if you just open a command
prompt and type this?

runas /savecred /user:mydomain\user1 "mmc gpmc.msc"

Same error?


-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: Monday, October 20, 2014 4:21 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Monday, October 20, 2014 at 14:19, Eric Henson eloquently inscribed:

> You need to log at security settings/local policies/security options,
> all the options that start with "User Account Control:"
>
> In particular, [one of] these two settings need to be set to "prompt
> for
> credentials": User Account Control: Behavior of the elevation prompt
> for administrators in Admin Approval Mode User Account Control:
> Behavior of the elevation prompt for standard users
>
> RSOP should tell you what GPO changes the behavior.
>

Yep. That's the first place I checked. All admins get prompted for consent
and standard users get prompted for credentials. That is the default on our
generic image and is enforced via baseline security GPO.

And it does prompt me, but it then fails (when run under a standard user
account other than the one I'm logged in as) claiming it requires elevation.
IOW, I can open GPMC.msc under my standard, user account, but not under the
account (which is also NOT a local admin) with rights to actually edit any
GPOs (while logged into the workstation as my user account). This is what
has changed (or I'm hallucinating).

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If
you would like to use any of this content in a blog or media publication,
please contact the owners of the list for approval.

To unsubscribe send a blank email to
leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Hammer, Erich F
2014-10-20 21:15:58 UTC
Permalink
On Monday, October 20, 2014 at 16:39, Charles Sullivan eloquently inscribed:

> I can't reproduce your problem. What happens if you just open a command
> prompt and type this?
>
> runas /savecred /user:mydomain\user1 "mmc gpmc.msc"
>
> Same error?

Attempting to start mmc gpmc.msc as user "domain2\myadmin" ...
Enter the password for domain2\myadmin:
Attempting to start mmc gpmc.msc as user "domain2\myadmin" ...
RUNAS ERROR: Unable to run - mmc gpmc.msc
87: The parameter is incorrect.



---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please em
Austin Macdade
2014-10-20 22:20:27 UTC
Permalink
Are these MSC files new? Apparently only executables that are signed by Microsoft and protected are whitelisted for UAC will auto-elevate without a prompt.
http://community.spiceworks.com/topic/90896-windows-7-uac-prompting-on-generic-mmc-but-not-on-administrative-mmc

I started looking for this when I realized that mmc.exe requires elevation no matter how you launch it, but some consoles don’t prompt for elevation.

According to this, you can't edit the whitelist.
http://superuser.com/questions/739367/uac-whitelist-for-system-processes

But, you can create a shortcut that runs a task in the task scheduler that runs an application with elevated privileges without prompt, apparently.
https://www.raymond.cc/blog/task-scheduler-bypass-uac-prompt/

So, it's likely the case that you've been using MSC files signed by Microsoft and on the cool kids list this whole time, UAC was set to a lower level, or, like you said, you've been hallucinating. :)

-----Original Message-----
From: Hammer, Erich F [mailto:***@albany.edu]
Sent: Monday, October 20, 2014 5:16 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Monday, October 20, 2014 at 16:39, Charles Sullivan eloquently inscribed:

> I can't reproduce your problem. What happens if you just open a
> command prompt and type this?
>
> runas /savecred /user:mydomain\user1 "mmc gpmc.msc"
>
> Same error?

Attempting to start mmc gpmc.msc as user "domain2\myadmin" ...
Enter the password for domain2\myadmin:
Attempting to start mmc gpmc.msc as user "domain2\myadmin" ...
RUNAS ERROR: Unable to run - mmc gpmc.msc
87: The parameter is incorrect.



---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-***@patchmanagement.org

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchma
Eric Henson
2014-10-21 03:38:36 UTC
Permalink
This is what I do, and it works fine:
runas /noprofile /user:***@domain.com "mmc C:\Console1.msc"

perhaps the /savecred is a problem, or you need to specify the full path to the MSC file.

--
ERIC HENSON
Systems Solutions Architect
PFSweb  |  www.pfsweb.com
p:  972.881.2900  x3104
m: 972.948.3424


-----Original Message-----
From: Hammer, Erich F [mailto:***@albany.edu]
Sent: Monday, October 20, 2014 4:16 PM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Monday, October 20, 2014 at 16:39, Charles Sullivan eloquently inscribed:

> I can't reproduce your problem. What happens if you just open a
> command prompt and type this?
>
> runas /savecred /user:mydomain\user1 "mmc gpmc.msc"
>
> Same error?

Attempting to start mmc gpmc.msc as user "domain2\myadmin" ...
Enter the password for domain2\myadmin:
Attempting to start mmc gpmc.msc as user "domain2\myadmin" ...
RUNAS ERROR: Unable to run - mmc gpmc.msc
87: The parameter is incorrect.



---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email owner-***@patchmanagement.org
------------------------
This email was scanned by BitDefender.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators. If you would like to use any of this content in a blog or media publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to leave-***@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-***@pa
Kurt Buff
2014-10-20 23:47:40 UTC
Permalink
On Mon, Oct 20, 2014 at 10:26 AM, Hammer, Erich F <erich-8+1tKT+***@public.gmane.org> wrote:
> On Sunday, October 19, 2014 at 01:27, Susan Bradley eloquently inscribed:
>
<snip>
> I'm stumped. Since it now doesn't look like a patch thing, I will take this elsewhere. Sorry to bother everyone.


I run my laptop as a standard user, which is not an administrator on
the machine. To run stuff elevated, I always start an elevated command
prompt with a local administrative-level account (no privileges off
the machine), then use a command-line invocation from there, such as:

runas /netonly /user:kurt-admin-***@public.gmane.org "%windir%\system32\dsa.msc"

I've got a notepad instance with all of my command-line invocations
permanently open on my desktop.

HTH,

Kurt
Charles F Sullivan
2014-10-17 14:50:58 UTC
Permalink
I do not log on to my workstation with Admin rights. I log on as
domain\user1 and that user is not an Administrator on the machine. I have
a Domain Admin account (domain\domadm2).

I have a batch file with this one line sitting on my desktop:

runas /savecred /user:domain\domadm2 cmd

When the batch file opens the Command Prompt, I run commands or type, for
example "mmc", "dsa.msc", "gpedit.msc" "regedit", etc. In other words,
running the command prompt this way is enough to open the door to running
anything as a domain administrator. All of this continues to work even
though my machine is up to date with patches.

I have a second batch file which does the same thing for the local
Administrator for the rare times that I need to bypass UAC. Here's where
I get on your bus: I just said that I rarely need to use the local
Administrator account, but recently I noticed that when I tried do certain
things which affect the local machine, "run as" the Domain Admin account
didn't cut it. I had to run as the local Administrator, in other words I
had to bypass UAC.

So I think you are correct that something has changed, but I am not really
having any issues because of the method I use to run as Domain Admin.

-----Original Message-----
From: Hammer, Erich F [mailto:erich-8+1tKT+***@public.gmane.org]
Sent: Friday, October 17, 2014 8:45 AM
To: Patch Management Mailing List
Subject: RE: [patchmanagement] Sept. patches changed UAC?

On Thursday, October 16, 2014 at 18:19, Shawn Hall eloquently inscribed:

>> ...as of yesterday, it worked as they have for
>> years: Double-click on shortcut, enter credentials, done.
>
> runas /profile /user:user-***@public.gmane.org "S:\tool.exe"
>
> You'll be prompted for authentication as you were before.

True, I am prompted, but then I get:

740: The requested operation requires elevation.

So, is nobody else experiencing this? Is that because you are logged in
as administrators, your everyday user accounts are sysadmins or because
only my machines are broken?

Thanks.

---
PatchManagement.org is hosted by Shavlik

The content on the email list is intended for assisting administrators.
If you would like to use any of this content in a blog or media
publication, please contact the owners of the list for approval.

To unsubscribe send a blank email to
leave-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement-Vbinuuz+i/1cyoYjzPa5A0B+***@public.gmane.org
Loading...