Re: [NTSysADM] RE: CMAK profiles without admin rights
While not super secure, you can use a compiled AutoIT script to elevate a process. You can also look into powershells credential cache stuff I think. James Pulver CLASSE Computer Group Cornell University On 10/19/2016 11:24 AM, James Rankin wrote: Task Scheduler can run stuff with admin rights, and the triggers are pretty granular... -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 19 October 2016 16:08 To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] RE: CMAK profiles without admin rights OK, so let's try running this around the defensive ends. :) Instead of letting the CMAK profile update the route table with it's normal cmroute.dll method, I can manually update the routes with post-connect tasks, etc. The logic is straightforward enough to do it and remove it at disconnect. I even have scripted a user creation process during the profile installation to build an admin level user on the machine to use for the purpose. All well and good. I was planning on doing a runas to call the required scripts so they'll work, but gee, I can't pass the password, it prompts for it. Any words of wisdom on silently running an admin level task? Since I'm assuming BYOD units will have admin level access anyway this is really only for our portable users to prevent having to give them admin rights to actually run the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Tuesday, October 18, 2016 3:56 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights I'm afraid not. We use the 2012R2 DirectAccess, and it's a champ (with one caveat - I've had a fair amount of problems with Win10 1607, it loses connections with regularity, and I don't know if there's an update for either client or server that helps.) For a backup (and those without company laptops to take home) we use an Aventail/Dell EX6000 for SSL VPN, and it Just Works. Kurt On Tue, Oct 18, 2016 at 10:55 AM, Melvin Backus <melvin.bac...@byers.com> wrote: My apologies if I stepped too closely to those extremities. :) I'd really love to get this in place as it would solve more than one nagging problem. Any words of wisdom to ease that journey? -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Tuesday, October 18, 2016 1:20 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since migrated to 2012 R2. That name change didn't catch up with me... And I resemble that remark - We're no more than 10 miles from the campus of the Evil Empire, on the border between Redmond and Krkland... Kurt On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> wrote: URA = Universal Remote Access = DirectAccess 2012 You know how our friends in the great NW like to rename things. :) -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Thursday, October 13, 2016 7:00 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights URA? I do not know this term. However, it looks like it might be related to DirectAccess, and I was going to make a snarky comment about you needing to implement that. It's so beautifully transparent, and just works. Kurt On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> wrote: I just confirmed that this doesn't work, at least on my W10 box. UAC is off, when you try to run either a route add to manually add a route or when cmroute.dll runs to automatically update the routes you're prompted for elevation and since the user isn't in the administrator group they can't elevate. I've been working on getting URA in place anyway. Maybe this will finally be the push to make it happen. :) -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver Sent: Thursday, October 13, 2016 9:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights If the problem is the routes don't get published, you can put Users in Network Configurat
RE: [NTSysADM] RE: CMAK profiles without admin rights
Task Scheduler can run stuff with admin rights, and the triggers are pretty granular... -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 19 October 2016 16:08 To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] RE: CMAK profiles without admin rights OK, so let's try running this around the defensive ends. :) Instead of letting the CMAK profile update the route table with it's normal cmroute.dll method, I can manually update the routes with post-connect tasks, etc. The logic is straightforward enough to do it and remove it at disconnect. I even have scripted a user creation process during the profile installation to build an admin level user on the machine to use for the purpose. All well and good. I was planning on doing a runas to call the required scripts so they'll work, but gee, I can't pass the password, it prompts for it. Any words of wisdom on silently running an admin level task? Since I'm assuming BYOD units will have admin level access anyway this is really only for our portable users to prevent having to give them admin rights to actually run the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Tuesday, October 18, 2016 3:56 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights I'm afraid not. We use the 2012R2 DirectAccess, and it's a champ (with one caveat - I've had a fair amount of problems with Win10 1607, it loses connections with regularity, and I don't know if there's an update for either client or server that helps.) For a backup (and those without company laptops to take home) we use an Aventail/Dell EX6000 for SSL VPN, and it Just Works. Kurt On Tue, Oct 18, 2016 at 10:55 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > My apologies if I stepped too closely to those extremities. :) > > I'd really love to get this in place as it would solve more than one nagging > problem. Any words of wisdom to ease that journey? > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > -Original Message- > From: listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff > Sent: Tuesday, October 18, 2016 1:20 PM > To: ntsysadm <ntsysadm@lists.myitforum.com> > Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights > > Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since > migrated to 2012 R2. That name change didn't catch up with me... > > And I resemble that remark - We're no more than 10 miles from the campus of > the Evil Empire, on the border between Redmond and Krkland... > > Kurt > > On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> > wrote: >> URA = Universal Remote Access = DirectAccess 2012 >> >> You know how our friends in the great NW like to rename things. :) >> >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> -Original Message- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >> Sent: Thursday, October 13, 2016 7:00 PM >> To: ntsysadm <ntsysadm@lists.myitforum.com> >> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >> >> URA? I do not know this term. >> >> However, it looks like it might be related to DirectAccess, and I was going >> to make a snarky comment about you needing to implement that. >> It's so beautifully transparent, and just works. >> >> Kurt >> >> On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> >> wrote: >>> I just confirmed that this doesn't work, at least on my W10 box. UAC is >>> off, when you try to run either a route add to manually add a route or when >>> cmroute.dll runs to automatically update the routes you're prompted for >>> elevation and since the user isn't in the administrator group they can't >>> elevate. >>> >>> I've been working on getting URA in place anyway. Maybe this will >>> finally be the push to make it happen. :) >>> >>> -- >>> There are 10 kinds of people in the world... >>> those who understand binary and those who don't. >>> >>> >>> -Original Message- >>> From: listsad...@lists.myitforu
RE: [NTSysADM] RE: CMAK profiles without admin rights
OK, so let's try running this around the defensive ends. :) Instead of letting the CMAK profile update the route table with it's normal cmroute.dll method, I can manually update the routes with post-connect tasks, etc. The logic is straightforward enough to do it and remove it at disconnect. I even have scripted a user creation process during the profile installation to build an admin level user on the machine to use for the purpose. All well and good. I was planning on doing a runas to call the required scripts so they'll work, but gee, I can't pass the password, it prompts for it. Any words of wisdom on silently running an admin level task? Since I'm assuming BYOD units will have admin level access anyway this is really only for our portable users to prevent having to give them admin rights to actually run the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Tuesday, October 18, 2016 3:56 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights I'm afraid not. We use the 2012R2 DirectAccess, and it's a champ (with one caveat - I've had a fair amount of problems with Win10 1607, it loses connections with regularity, and I don't know if there's an update for either client or server that helps.) For a backup (and those without company laptops to take home) we use an Aventail/Dell EX6000 for SSL VPN, and it Just Works. Kurt On Tue, Oct 18, 2016 at 10:55 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > My apologies if I stepped too closely to those extremities. :) > > I'd really love to get this in place as it would solve more than one nagging > problem. Any words of wisdom to ease that journey? > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > -Original Message- > From: listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff > Sent: Tuesday, October 18, 2016 1:20 PM > To: ntsysadm <ntsysadm@lists.myitforum.com> > Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights > > Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since > migrated to 2012 R2. That name change didn't catch up with me... > > And I resemble that remark - We're no more than 10 miles from the campus of > the Evil Empire, on the border between Redmond and Krkland... > > Kurt > > On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> > wrote: >> URA = Universal Remote Access = DirectAccess 2012 >> >> You know how our friends in the great NW like to rename things. :) >> >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> -Original Message- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >> Sent: Thursday, October 13, 2016 7:00 PM >> To: ntsysadm <ntsysadm@lists.myitforum.com> >> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >> >> URA? I do not know this term. >> >> However, it looks like it might be related to DirectAccess, and I was going >> to make a snarky comment about you needing to implement that. >> It's so beautifully transparent, and just works. >> >> Kurt >> >> On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> >> wrote: >>> I just confirmed that this doesn't work, at least on my W10 box. UAC is >>> off, when you try to run either a route add to manually add a route or when >>> cmroute.dll runs to automatically update the routes you're prompted for >>> elevation and since the user isn't in the administrator group they can't >>> elevate. >>> >>> I've been working on getting URA in place anyway. Maybe this will >>> finally be the push to make it happen. :) >>> >>> -- >>> There are 10 kinds of people in the world... >>> those who understand binary and those who don't. >>> >>> >>> -Original Message- >>> From: listsad...@lists.myitforum.com >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver >>> Sent: Thursday, October 13, 2016 9:00 AM >>> To: ntsysadm@lists.myitforum.com >>> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >>> >>> If the problem is the routes don't get published, you can
Re: [NTSysADM] RE: CMAK profiles without admin rights
I'm afraid not. We use the 2012R2 DirectAccess, and it's a champ (with one caveat - I've had a fair amount of problems with Win10 1607, it loses connections with regularity, and I don't know if there's an update for either client or server that helps.) For a backup (and those without company laptops to take home) we use an Aventail/Dell EX6000 for SSL VPN, and it Just Works. Kurt On Tue, Oct 18, 2016 at 10:55 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > My apologies if I stepped too closely to those extremities. :) > > I'd really love to get this in place as it would solve more than one nagging > problem. Any words of wisdom to ease that journey? > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > -Original Message- > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Kurt Buff > Sent: Tuesday, October 18, 2016 1:20 PM > To: ntsysadm <ntsysadm@lists.myitforum.com> > Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights > > Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since > migrated to 2012 R2. That name change didn't catch up with me... > > And I resemble that remark - We're no more than 10 miles from the campus of > the Evil Empire, on the border between Redmond and Krkland... > > Kurt > > On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> > wrote: >> URA = Universal Remote Access = DirectAccess 2012 >> >> You know how our friends in the great NW like to rename things. :) >> >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> -Original Message- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >> Sent: Thursday, October 13, 2016 7:00 PM >> To: ntsysadm <ntsysadm@lists.myitforum.com> >> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >> >> URA? I do not know this term. >> >> However, it looks like it might be related to DirectAccess, and I was going >> to make a snarky comment about you needing to implement that. >> It's so beautifully transparent, and just works. >> >> Kurt >> >> On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> >> wrote: >>> I just confirmed that this doesn't work, at least on my W10 box. UAC is >>> off, when you try to run either a route add to manually add a route or when >>> cmroute.dll runs to automatically update the routes you're prompted for >>> elevation and since the user isn't in the administrator group they can't >>> elevate. >>> >>> I've been working on getting URA in place anyway. Maybe this will >>> finally be the push to make it happen. :) >>> >>> -- >>> There are 10 kinds of people in the world... >>> those who understand binary and those who don't. >>> >>> >>> -Original Message- >>> From: listsad...@lists.myitforum.com >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver >>> Sent: Thursday, October 13, 2016 9:00 AM >>> To: ntsysadm@lists.myitforum.com >>> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >>> >>> If the problem is the routes don't get published, you can put Users in >>> Network Configurator Operators group, and turn off UAC, and then normal >>> users can update their route maps. >>> >>> James Pulver >>> CLASSE Computer Group >>> Cornell University >>> >>> On 10/13/2016 07:46 AM, Melvin Backus wrote: >>>> Budget for this is nil but I'll have a look and see. The >>>> installation of the connectoid isn't the issue, it's all runtime >>>> when the user tries to connect to the VPN. >>>> >>>> >>>> >>>> -- >>>> There are 10 kinds of people in the world... >>>> those who understand binary and those who don't. >>>> >>>> >>>> >>>> *From:* listsad...@lists.myitforum.com >>>> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin >>>> *Sent:* Thursday, October 13, 2016 7:15 AM >>>> *To:* ntsysadm@lists.myitforum.com >>>> *Subject:* [NTSysADM] RE: CMAK profiles without admin rights >>>> >>>> >>>> >>>> You can use privilege man
RE: [NTSysADM] RE: CMAK profiles without admin rights
My apologies if I stepped too closely to those extremities. :) I'd really love to get this in place as it would solve more than one nagging problem. Any words of wisdom to ease that journey? -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Tuesday, October 18, 2016 1:20 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since migrated to 2012 R2. That name change didn't catch up with me... And I resemble that remark - We're no more than 10 miles from the campus of the Evil Empire, on the border between Redmond and Krkland... Kurt On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > URA = Universal Remote Access = DirectAccess 2012 > > You know how our friends in the great NW like to rename things. :) > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > -Original Message- > From: listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff > Sent: Thursday, October 13, 2016 7:00 PM > To: ntsysadm <ntsysadm@lists.myitforum.com> > Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights > > URA? I do not know this term. > > However, it looks like it might be related to DirectAccess, and I was going > to make a snarky comment about you needing to implement that. > It's so beautifully transparent, and just works. > > Kurt > > On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> > wrote: >> I just confirmed that this doesn't work, at least on my W10 box. UAC is >> off, when you try to run either a route add to manually add a route or when >> cmroute.dll runs to automatically update the routes you're prompted for >> elevation and since the user isn't in the administrator group they can't >> elevate. >> >> I've been working on getting URA in place anyway. Maybe this will >> finally be the push to make it happen. :) >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> -Original Message- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver >> Sent: Thursday, October 13, 2016 9:00 AM >> To: ntsysadm@lists.myitforum.com >> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >> >> If the problem is the routes don't get published, you can put Users in >> Network Configurator Operators group, and turn off UAC, and then normal >> users can update their route maps. >> >> James Pulver >> CLASSE Computer Group >> Cornell University >> >> On 10/13/2016 07:46 AM, Melvin Backus wrote: >>> Budget for this is nil but I'll have a look and see. The >>> installation of the connectoid isn't the issue, it's all runtime >>> when the user tries to connect to the VPN. >>> >>> >>> >>> -- >>> There are 10 kinds of people in the world... >>> those who understand binary and those who don't. >>> >>> >>> >>> *From:* listsad...@lists.myitforum.com >>> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin >>> *Sent:* Thursday, October 13, 2016 7:15 AM >>> *To:* ntsysadm@lists.myitforum.com >>> *Subject:* [NTSysADM] RE: CMAK profiles without admin rights >>> >>> >>> >>> You can use privilege management tools like AppSense Application >>> Manager, RES, Scense and the like to configure specific files that >>> can run with elevated rights. >>> >>> >>> >>> There's also tools like CPAU from JoeWare which can run scripts with >>> elevated privileges so that you can get the profile build to complete maybe? >>> >>> >>> >>> *From:* listsad...@lists.myitforum.com >>> <mailto:listsad...@lists.myitforum.com> >>> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus >>> *Sent:* 13 October 2016 12:05 >>> *To:* ntsysadm@lists.myitforum.com >>> <mailto:ntsysadm@lists.myitforum.com> >>> *Subject:* [NTSysADM] CMAK profiles without admin rights >>> >>> >>> >>> Hello folks, >>> >>&g
Re: [NTSysADM] RE: CMAK profiles without admin rights
Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since migrated to 2012 R2. That name change didn't catch up with me... And I resemble that remark - We're no more than 10 miles from the campus of the Evil Empire, on the border between Redmond and Krkland... Kurt On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > URA = Universal Remote Access = DirectAccess 2012 > > You know how our friends in the great NW like to rename things. :) > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > -Original Message- > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Kurt Buff > Sent: Thursday, October 13, 2016 7:00 PM > To: ntsysadm <ntsysadm@lists.myitforum.com> > Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights > > URA? I do not know this term. > > However, it looks like it might be related to DirectAccess, and I was going > to make a snarky comment about you needing to implement that. > It's so beautifully transparent, and just works. > > Kurt > > On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> > wrote: >> I just confirmed that this doesn't work, at least on my W10 box. UAC is >> off, when you try to run either a route add to manually add a route or when >> cmroute.dll runs to automatically update the routes you're prompted for >> elevation and since the user isn't in the administrator group they can't >> elevate. >> >> I've been working on getting URA in place anyway. Maybe this will >> finally be the push to make it happen. :) >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> -Original Message- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver >> Sent: Thursday, October 13, 2016 9:00 AM >> To: ntsysadm@lists.myitforum.com >> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights >> >> If the problem is the routes don't get published, you can put Users in >> Network Configurator Operators group, and turn off UAC, and then normal >> users can update their route maps. >> >> James Pulver >> CLASSE Computer Group >> Cornell University >> >> On 10/13/2016 07:46 AM, Melvin Backus wrote: >>> Budget for this is nil but I'll have a look and see. The >>> installation of the connectoid isn't the issue, it's all runtime when >>> the user tries to connect to the VPN. >>> >>> >>> >>> -- >>> There are 10 kinds of people in the world... >>> those who understand binary and those who don't. >>> >>> >>> >>> *From:* listsad...@lists.myitforum.com >>> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin >>> *Sent:* Thursday, October 13, 2016 7:15 AM >>> *To:* ntsysadm@lists.myitforum.com >>> *Subject:* [NTSysADM] RE: CMAK profiles without admin rights >>> >>> >>> >>> You can use privilege management tools like AppSense Application >>> Manager, RES, Scense and the like to configure specific files that >>> can run with elevated rights. >>> >>> >>> >>> There's also tools like CPAU from JoeWare which can run scripts with >>> elevated privileges so that you can get the profile build to complete maybe? >>> >>> >>> >>> *From:* listsad...@lists.myitforum.com >>> <mailto:listsad...@lists.myitforum.com> >>> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus >>> *Sent:* 13 October 2016 12:05 >>> *To:* ntsysadm@lists.myitforum.com >>> <mailto:ntsysadm@lists.myitforum.com> >>> *Subject:* [NTSysADM] CMAK profiles without admin rights >>> >>> >>> >>> Hello folks, >>> >>> >>> >>> We've been working on removing admin rights for users in our >>> environment. One snag we've run into is related to our RAS VPN >>> connections and CMAK profiles. In order to make everything work >>> we're using CMAK to build the profile which includes routing, etc. >>> We can't seem to find a way to get those to work without admin rights >>> because cmroute.dll won't run without elevation. Any recommendations >>> on how to get around this or possibly push the routes once during >>> initial install and not have to run them at connect time? >>> >>> >>> >>> Thanks >>> >>> >>> >>> >>> Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | >>> 404.497.1565 >>> >>> Service Desk | 404-497-1599 | https://servicedesk.byers.com >>> >>> -- >>> There are 10 kinds of people in the world... >>> those who understand binary and those who don't. >>> >>> >>> >> >> >> >> > >
RE: [NTSysADM] RE: CMAK profiles without admin rights
URA = Universal Remote Access = DirectAccess 2012 You know how our friends in the great NW like to rename things. :) -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Thursday, October 13, 2016 7:00 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights URA? I do not know this term. However, it looks like it might be related to DirectAccess, and I was going to make a snarky comment about you needing to implement that. It's so beautifully transparent, and just works. Kurt On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> wrote: > I just confirmed that this doesn't work, at least on my W10 box. UAC is off, > when you try to run either a route add to manually add a route or when > cmroute.dll runs to automatically update the routes you're prompted for > elevation and since the user isn't in the administrator group they can't > elevate. > > I've been working on getting URA in place anyway. Maybe this will > finally be the push to make it happen. :) > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > -Original Message- > From: listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver > Sent: Thursday, October 13, 2016 9:00 AM > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights > > If the problem is the routes don't get published, you can put Users in > Network Configurator Operators group, and turn off UAC, and then normal users > can update their route maps. > > James Pulver > CLASSE Computer Group > Cornell University > > On 10/13/2016 07:46 AM, Melvin Backus wrote: >> Budget for this is nil but I'll have a look and see. The >> installation of the connectoid isn't the issue, it's all runtime when >> the user tries to connect to the VPN. >> >> >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> >> *From:* listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin >> *Sent:* Thursday, October 13, 2016 7:15 AM >> *To:* ntsysadm@lists.myitforum.com >> *Subject:* [NTSysADM] RE: CMAK profiles without admin rights >> >> >> >> You can use privilege management tools like AppSense Application >> Manager, RES, Scense and the like to configure specific files that >> can run with elevated rights. >> >> >> >> There's also tools like CPAU from JoeWare which can run scripts with >> elevated privileges so that you can get the profile build to complete maybe? >> >> >> >> *From:* listsad...@lists.myitforum.com >> <mailto:listsad...@lists.myitforum.com> >> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus >> *Sent:* 13 October 2016 12:05 >> *To:* ntsysadm@lists.myitforum.com >> <mailto:ntsysadm@lists.myitforum.com> >> *Subject:* [NTSysADM] CMAK profiles without admin rights >> >> >> >> Hello folks, >> >> >> >> We've been working on removing admin rights for users in our >> environment. One snag we've run into is related to our RAS VPN >> connections and CMAK profiles. In order to make everything work >> we're using CMAK to build the profile which includes routing, etc. >> We can't seem to find a way to get those to work without admin rights >> because cmroute.dll won't run without elevation. Any recommendations >> on how to get around this or possibly push the routes once during >> initial install and not have to run them at connect time? >> >> >> >> Thanks >> >> >> >> >> Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | >> 404.497.1565 >> >> Service Desk | 404-497-1599 | https://servicedesk.byers.com >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> > > > >
[NTSysADM] RE: CMAK profiles without admin rights
Ah right :) Don't know whether you'd be able to do a spot of Process Monitoring and see if there is a parent process (shot in dark!)? From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 15:30 To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights I've see that, but as was pointed out it one of the articles I read, what executable do you assign that to? The offending process is a DLL. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:58 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights I assume you probably read this already but just in case you haven't (pulled from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ ) The route table updating via Cmroute in the CMAK package requires admin privileges. Because of the introduction of UCA (user account control) in Windows Vista, you need to running CM profile with cmroute custom action from admin user (user in administrative group and with UAC disabled) or from elevated cmd. If UAC is enabled then cmroute will ask for elevation. If you do not want to receive the prompt, you may consider the following options: 1. Refer to the following KB to disable UAC for the generated CMAK package. 2. Disable UAC on all Vista clients. (not the preferred practice) How to disable the User Account Control Prompt for certain application http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a -single-application.aspx The steps to disable the User Account Control Prompt for certain application: 1) Download and install the Application Compatibility Toolkit (link below). 2) Open the Compatibility Administrator application with elevated credentials. 3) In the left hand pane, right-click on the database under Custom Databases and select Create New Application Fix 4) Enter the name and other details of the application you want to alter behavior on and then browse to it to select it. 5) Click Next until you are in the Compatibility Fixes screen. 6) To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker. 7) Click Next and then Finish. 8) Select File and Save As. Save the file as a filename.SDB type file in a directory you will easily find it. 9) Copy the .sdb file to the Vista computer you want to alter the elevation prompt behavior on. 10) Open an elevated command prompt. 11) Run the command (without the quotes, assuming you copied the file to the Windows directory on C: "sdbinst c:\windows\.sdb" and then press enter. Microsoft Application Compatibility Toolkit 5.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0- B45E-49 2DD6DA2971=en More info on the other options you have in altering application launch behavior are available at the URL below: Application Compatibility Feature Guide http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6 .mspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:47 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] CMAK profiles without admin rights Hello folks, We've been working on removing admin rights for users in o
[NTSysADM] RE: CMAK profiles without admin rights
Thanks for reminding me about that. I've used it in the past and forgot all about it. :( I need a vacation. :) -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Stephen Gestwicki Sent: Thursday, October 13, 2016 11:37 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights You should be able to use Processes Explorer to find that while running the VPN. [cid:image001.png@01D22549.F14C5E80] https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx?f=255=-2147217396 - Stephen From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Thursday, October 13, 2016 10:30 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights I've see that, but as was pointed out it one of the articles I read, what executable do you assign that to? The offending process is a DLL. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:58 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights I assume you probably read this already but just in case you haven't (pulled from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ ) The route table updating via Cmroute in the CMAK package requires admin privileges. Because of the introduction of UCA (user account control) in Windows Vista, you need to running CM profile with cmroute custom action from admin user (user in administrative group and with UAC disabled) or from elevated cmd. If UAC is enabled then cmroute will ask for elevation. If you do not want to receive the prompt, you may consider the following options: 1. Refer to the following KB to disable UAC for the generated CMAK package. 2. Disable UAC on all Vista clients. (not the preferred practice) How to disable the User Account Control Prompt for certain application http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a -single-application.aspx The steps to disable the User Account Control Prompt for certain application: 1) Download and install the Application Compatibility Toolkit (link below). 2) Open the Compatibility Administrator application with elevated credentials. 3) In the left hand pane, right-click on the database under Custom Databases and select Create New Application Fix 4) Enter the name and other details of the application you want to alter behavior on and then browse to it to select it. 5) Click Next until you are in the Compatibility Fixes screen. 6) To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker. 7) Click Next and then Finish. 8) Select File and Save As. Save the file as a filename.SDB type file in a directory you will easily find it. 9) Copy the .sdb file to the Vista computer you want to alter the elevation prompt behavior on. 10) Open an elevated command prompt. 11) Run the command (without the quotes, assuming you copied the file to the Windows directory on C: "sdbinst c:\windows\.sdb" and then press enter. Microsoft Application Compatibility Toolkit 5.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0- B45E-49 2DD6DA2971=en More info on the other options you have in altering application launch behavior are available at the URL below: Application Compatibility Feature Guide http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6 .mspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:47 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools li
[NTSysADM] RE: CMAK profiles without admin rights
You should be able to use Processes Explorer to find that while running the VPN. [cid:image002.png@01D22546.20F9DCB0] https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx?f=255=-2147217396 - Stephen From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Thursday, October 13, 2016 10:30 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights I've see that, but as was pointed out it one of the articles I read, what executable do you assign that to? The offending process is a DLL. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:58 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights I assume you probably read this already but just in case you haven't (pulled from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ ) The route table updating via Cmroute in the CMAK package requires admin privileges. Because of the introduction of UCA (user account control) in Windows Vista, you need to running CM profile with cmroute custom action from admin user (user in administrative group and with UAC disabled) or from elevated cmd. If UAC is enabled then cmroute will ask for elevation. If you do not want to receive the prompt, you may consider the following options: 1. Refer to the following KB to disable UAC for the generated CMAK package. 2. Disable UAC on all Vista clients. (not the preferred practice) How to disable the User Account Control Prompt for certain application http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a -single-application.aspx The steps to disable the User Account Control Prompt for certain application: 1) Download and install the Application Compatibility Toolkit (link below). 2) Open the Compatibility Administrator application with elevated credentials. 3) In the left hand pane, right-click on the database under Custom Databases and select Create New Application Fix 4) Enter the name and other details of the application you want to alter behavior on and then browse to it to select it. 5) Click Next until you are in the Compatibility Fixes screen. 6) To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker. 7) Click Next and then Finish. 8) Select File and Save As. Save the file as a filename.SDB type file in a directory you will easily find it. 9) Copy the .sdb file to the Vista computer you want to alter the elevation prompt behavior on. 10) Open an elevated command prompt. 11) Run the command (without the quotes, assuming you copied the file to the Windows directory on C: "sdbinst c:\windows\.sdb" and then press enter. Microsoft Application Compatibility Toolkit 5.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0- B45E-49 2DD6DA2971=en More info on the other options you have in altering application launch behavior are available at the URL below: Application Compatibility Feature Guide http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6 .mspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:47 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] CMAK profi
RE: [NTSysADM] RE: CMAK profiles without admin rights
We tried adding them to Network Configuration Operators and it didn't help. I'm not sure if UAC was off or not but that is our normal configuration. I'll go through it again just to be sure. -- There are 10 kinds of people in the world... those who understand binary and those who don't. -Original Message- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver Sent: Thursday, October 13, 2016 9:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights If the problem is the routes don't get published, you can put Users in Network Configurator Operators group, and turn off UAC, and then normal users can update their route maps. James Pulver CLASSE Computer Group Cornell University On 10/13/2016 07:46 AM, Melvin Backus wrote: > Budget for this is nil but I'll have a look and see. The installation > of the connectoid isn't the issue, it's all runtime when the user > tries to connect to the VPN. > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin > *Sent:* Thursday, October 13, 2016 7:15 AM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] RE: CMAK profiles without admin rights > > > > You can use privilege management tools like AppSense Application > Manager, RES, Scense and the like to configure specific files that can > run with elevated rights. > > > > There's also tools like CPAU from JoeWare which can run scripts with > elevated privileges so that you can get the profile build to complete maybe? > > > > *From:* listsad...@lists.myitforum.com > <mailto:listsad...@lists.myitforum.com> > [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus > *Sent:* 13 October 2016 12:05 > *To:* ntsysadm@lists.myitforum.com > <mailto:ntsysadm@lists.myitforum.com> > *Subject:* [NTSysADM] CMAK profiles without admin rights > > > > Hello folks, > > > > We've been working on removing admin rights for users in our > environment. One snag we've run into is related to our RAS VPN > connections and CMAK profiles. In order to make everything work we're > using CMAK to build the profile which includes routing, etc. We can't > seem to find a way to get those to work without admin rights because > cmroute.dll won't run without elevation. Any recommendations on how > to get around this or possibly push the routes once during initial > install and not have to run them at connect time? > > > > Thanks > > > > > Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | > 404.497.1565 > > Service Desk | 404-497-1599 | https://servicedesk.byers.com > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > >
[NTSysADM] RE: CMAK profiles without admin rights
I've see that, but as was pointed out it one of the articles I read, what executable do you assign that to? The offending process is a DLL. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:58 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights I assume you probably read this already but just in case you haven't (pulled from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ ) The route table updating via Cmroute in the CMAK package requires admin privileges. Because of the introduction of UCA (user account control) in Windows Vista, you need to running CM profile with cmroute custom action from admin user (user in administrative group and with UAC disabled) or from elevated cmd. If UAC is enabled then cmroute will ask for elevation. If you do not want to receive the prompt, you may consider the following options: 1. Refer to the following KB to disable UAC for the generated CMAK package. 2. Disable UAC on all Vista clients. (not the preferred practice) How to disable the User Account Control Prompt for certain application http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a -single-application.aspx The steps to disable the User Account Control Prompt for certain application: 1) Download and install the Application Compatibility Toolkit (link below). 2) Open the Compatibility Administrator application with elevated credentials. 3) In the left hand pane, right-click on the database under Custom Databases and select Create New Application Fix 4) Enter the name and other details of the application you want to alter behavior on and then browse to it to select it. 5) Click Next until you are in the Compatibility Fixes screen. 6) To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker. 7) Click Next and then Finish. 8) Select File and Save As. Save the file as a filename.SDB type file in a directory you will easily find it. 9) Copy the .sdb file to the Vista computer you want to alter the elevation prompt behavior on. 10) Open an elevated command prompt. 11) Run the command (without the quotes, assuming you copied the file to the Windows directory on C: "sdbinst c:\windows\.sdb" and then press enter. Microsoft Application Compatibility Toolkit 5.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0- B45E-49 2DD6DA2971=en More info on the other options you have in altering application launch behavior are available at the URL below: Application Compatibility Feature Guide http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6 .mspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:47 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] CMAK profiles without admin rights Hello folks, We've been working on removing admin rights for users in our environment. One snag we've run into is related to our RAS VPN connections and CMAK profiles. In order to make everything work we're using CMAK to build the profile which includes routing, etc. We can't seem to find a way to get those to work without admin rights because cmroute.dll won't run without elevation. Any recommendations on how to get around this or possibly push the routes once during initial install and
Re: [NTSysADM] RE: CMAK profiles without admin rights
If the problem is the routes don't get published, you can put Users in Network Configurator Operators group, and turn off UAC, and then normal users can update their route maps. James Pulver CLASSE Computer Group Cornell University On 10/13/2016 07:46 AM, Melvin Backus wrote: Budget for this is nil but I’ll have a look and see. The installation of the connectoid isn’t the issue, it’s all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. *From:* listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin *Sent:* Thursday, October 13, 2016 7:15 AM *To:* ntsysadm@lists.myitforum.com *Subject:* [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There’s also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? *From:* listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus *Sent:* 13 October 2016 12:05 *To:* ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com> *Subject:* [NTSysADM] CMAK profiles without admin rights Hello folks, We’ve been working on removing admin rights for users in our environment. One snag we’ve run into is related to our RAS VPN connections and CMAK profiles. In order to make everything work we’re using CMAK to build the profile which includes routing, etc. We can’t seem to find a way to get those to work without admin rights because cmroute.dll won’t run without elevation. Any recommendations on how to get around this or possibly push the routes once during initial install and not have to run them at connect time? Thanks Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565 Service Desk | 404-497-1599 | https://servicedesk.byers.com -- There are 10 kinds of people in the world... those who understand binary and those who don't.
[NTSysADM] RE: CMAK profiles without admin rights
I assume you probably read this already but just in case you haven't (pulled from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ ) The route table updating via Cmroute in the CMAK package requires admin privileges. Because of the introduction of UCA (user account control) in Windows Vista, you need to running CM profile with cmroute custom action from admin user (user in administrative group and with UAC disabled) or from elevated cmd. If UAC is enabled then cmroute will ask for elevation. If you do not want to receive the prompt, you may consider the following options: 1. Refer to the following KB to disable UAC for the generated CMAK package. 2. Disable UAC on all Vista clients. (not the preferred practice) How to disable the User Account Control Prompt for certain application http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a -single-application.aspx The steps to disable the User Account Control Prompt for certain application: 1) Download and install the Application Compatibility Toolkit (link below). 2) Open the Compatibility Administrator application with elevated credentials. 3) In the left hand pane, right-click on the database under Custom Databases and select Create New Application Fix 4) Enter the name and other details of the application you want to alter behavior on and then browse to it to select it. 5) Click Next until you are in the Compatibility Fixes screen. 6) To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker. 7) Click Next and then Finish. 8) Select File and Save As. Save the file as a filename.SDB type file in a directory you will easily find it. 9) Copy the .sdb file to the Vista computer you want to alter the elevation prompt behavior on. 10) Open an elevated command prompt. 11) Run the command (without the quotes, assuming you copied the file to the Windows directory on C: "sdbinst c:\windows\.sdb" and then press enter. Microsoft Application Compatibility Toolkit 5.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0- B45E-49 2DD6DA2971=en More info on the other options you have in altering application launch behavior are available at the URL below: Application Compatibility Feature Guide http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6 .mspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:47 To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] CMAK profiles without admin rights Hello folks, We've been working on removing admin rights for users in our environment. One snag we've run into is related to our RAS VPN connections and CMAK profiles. In order to make everything work we're using CMAK to build the profile which includes routing, etc. We can't seem to find a way to get those to work without admin rights because cmroute.dll won't run without elevation. Any recommendations on how to get around this or possibly push the routes once during initial install and not have to run them at connect time? Thanks Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565 Service Desk | 404-497-1599 | https://servicedesk.byers.com -- There are 10 kinds of people in the world... those who understand binary and those who don't.
[NTSysADM] RE: CMAK profiles without admin rights
Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] CMAK profiles without admin rights Hello folks, We've been working on removing admin rights for users in our environment. One snag we've run into is related to our RAS VPN connections and CMAK profiles. In order to make everything work we're using CMAK to build the profile which includes routing, etc. We can't seem to find a way to get those to work without admin rights because cmroute.dll won't run without elevation. Any recommendations on how to get around this or possibly push the routes once during initial install and not have to run them at connect time? Thanks Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565 Service Desk | 404-497-1599 | https://servicedesk.byers.com -- There are 10 kinds of people in the world... those who understand binary and those who don't.
[NTSysADM] RE: CMAK profiles without admin rights
You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] CMAK profiles without admin rights Hello folks, We've been working on removing admin rights for users in our environment. One snag we've run into is related to our RAS VPN connections and CMAK profiles. In order to make everything work we're using CMAK to build the profile which includes routing, etc. We can't seem to find a way to get those to work without admin rights because cmroute.dll won't run without elevation. Any recommendations on how to get around this or possibly push the routes once during initial install and not have to run them at connect time? Thanks Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565 Service Desk | 404-497-1599 | https://servicedesk.byers.com -- There are 10 kinds of people in the world... those who understand binary and those who don't.
