date:20161013

[NTSysADM] Free MS Press 2016 server intro book.

2016-10-13 Thread Kennedy, Jim


https://blogs.msdn.microsoft.com/microsoft_press/2016/09/26/free-ebook-introducing-windows-server-2016/

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread James Rankin

Ah right :)

Don't know whether you'd be able to do a spot of Process Monitoring and see if 
there is a parent process (shot in dark!)?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: 13 October 2016 15:30
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I've see that, but as was pointed out it one of the articles I read, what 
executable do you assign that to? The offending process is a DLL.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:58 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx

The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the .sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our

[NTSysADM] RE: Modified date on distribution group AD object

2016-10-13 Thread Brian Desmond

If you do a repadmin /showobjmeta on the object, it will give you timestamps 
per attribute which would be a good starting point.

Thanks,
Brian Desmond

(w) 312.625.1438 | (c) 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, October 13, 2016 11:30 AM
To: 'NT System Admin Issues Discussion list' 
Subject: [NTSysADM] Modified date on distribution group AD object

We have 16 distribution groups that are showing the exact same Modified 
timestamp.  A couple of these are used for automated message delivery for 
different applications.  Since this change date, those messages are no longer 
being delivered.  I use Netwrix to audit things, and it doesn't have anything 
for these distribution groups changing in that whole week.

What causes that modified timestamp to change?  Where else can I look to try 
and see what got modified?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread Melvin Backus

Thanks for reminding me about that. I've used it in the past and forgot all 
about it. :(  I need a vacation. :)


--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stephen Gestwicki
Sent: Thursday, October 13, 2016 11:37 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You should be able to use Processes Explorer to find that while running the VPN.

[cid:image001.png@01D22549.F14C5E80]

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx?f=255=-2147217396

- Stephen

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, October 13, 2016 10:30 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I've see that, but as was pointed out it one of the articles I read, what 
executable do you assign that to? The offending process is a DLL.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:58 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx


The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the .sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread Stephen Gestwicki

You should be able to use Processes Explorer to find that while running the VPN.

[cid:image002.png@01D22546.20F9DCB0]

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx?f=255=-2147217396

- Stephen

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Thursday, October 13, 2016 10:30 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I've see that, but as was pointed out it one of the articles I read, what 
executable do you assign that to? The offending process is a DLL.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:58 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx


The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the .sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working

[NTSysADM] Modified date on distribution group AD object

2016-10-13 Thread Heaton, Joseph@Wildlife

We have 16 distribution groups that are showing the exact same Modified 
timestamp.  A couple of these are used for automated message delivery for 
different applications.  Since this change date, those messages are no longer 
being delivered.  I use Netwrix to audit things, and it doesn't have anything 
for these distribution groups changing in that whole week.

What causes that modified timestamp to change?  Where else can I look to try 
and see what got modified?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread Melvin Backus

We tried adding them to Network Configuration Operators and it didn't help. I'm 
not sure if UAC was off or not but that is our normal configuration. I'll go 
through it again just to be sure.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James M. Pulver
Sent: Thursday, October 13, 2016 9:00 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights

If the problem is the routes don't get published, you can put Users in Network 
Configurator Operators group, and turn off UAC, and then normal users can 
update their route maps.

James Pulver
CLASSE Computer Group
Cornell University

On 10/13/2016 07:46 AM, Melvin Backus wrote:
> Budget for this is nil but I'll have a look and see.  The installation 
> of the connectoid isn't the issue, it's all runtime when the user 
> tries to connect to the VPN.
>
>
>
> --
> There are 10 kinds of people in the world...
>  those who understand binary and those who don't.
>
>
>
> *From:* listsad...@lists.myitforum.com 
> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin
> *Sent:* Thursday, October 13, 2016 7:15 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] RE: CMAK profiles without admin rights
>
>
>
> You can use privilege management tools like AppSense Application 
> Manager, RES, Scense and the like to configure specific files that can 
> run with elevated rights.
>
>
>
> There's also tools like CPAU from JoeWare which can run scripts with 
> elevated privileges so that you can get the profile build to complete maybe?
>
>
>
> *From:* listsad...@lists.myitforum.com 
> 
> [mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus
> *Sent:* 13 October 2016 12:05
> *To:* ntsysadm@lists.myitforum.com 
> 
> *Subject:* [NTSysADM] CMAK profiles without admin rights
>
>
>
> Hello folks,
>
>
>
> We've been working on removing admin rights for users in our 
> environment. One snag we've run into is related to our RAS VPN 
> connections and CMAK profiles.  In order to make everything work we're 
> using CMAK to build the profile which includes routing, etc.  We can't 
> seem to find a way to get those to work without admin rights because 
> cmroute.dll won't run without elevation.  Any recommendations on how 
> to get around this or possibly push the routes once during initial 
> install and not have to run them at connect time?
>
>
>
> Thanks
>
>
>
> 
> Melvin Backus | Sr. Systems Engineer | Byers Engineering Company |
> 404.497.1565
>
> Service Desk | 404-497-1599 | https://servicedesk.byers.com
>
> --
> There are 10 kinds of people in the world...
>  those who understand binary and those who don't.
>
>
>

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread Melvin Backus

I've see that, but as was pointed out it one of the articles I read, what 
executable do you assign that to? The offending process is a DLL.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:58 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx


The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the .sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our RAS VPN connections and CMAK profiles.  
In order to make everything work we're using CMAK to build the profile which 
includes routing, etc.  We can't seem to find a way to get those to work 
without admin rights because cmroute.dll won't run without elevation.  Any 
recommendations on how to get around this or possibly push the routes once 
during initial install and not have to run them at connect time?

Thanks

Re: [NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread James M. Pulver

If the problem is the routes don't get published, you can put Users in 
Network Configurator Operators group, and turn off UAC, and then normal 
users can update their route maps.


James Pulver
CLASSE Computer Group
Cornell University

On 10/13/2016 07:46 AM, Melvin Backus wrote:

Budget for this is nil but I’ll have a look and see.  The installation
of the connectoid isn’t the issue, it’s all runtime when the user tries
to connect to the VPN.



--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.



*From:* listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin
*Sent:* Thursday, October 13, 2016 7:15 AM
*To:* ntsysadm@lists.myitforum.com
*Subject:* [NTSysADM] RE: CMAK profiles without admin rights



You can use privilege management tools like AppSense Application
Manager, RES, Scense and the like to configure specific files that can
run with elevated rights.



There’s also tools like CPAU from JoeWare which can run scripts with
elevated privileges so that you can get the profile build to complete maybe?



*From:* listsad...@lists.myitforum.com

[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin Backus
*Sent:* 13 October 2016 12:05
*To:* ntsysadm@lists.myitforum.com 
*Subject:* [NTSysADM] CMAK profiles without admin rights



Hello folks,



We’ve been working on removing admin rights for users in our
environment. One snag we’ve run into is related to our RAS VPN
connections and CMAK profiles.  In order to make everything work we’re
using CMAK to build the profile which includes routing, etc.  We can’t
seem to find a way to get those to work without admin rights because
cmroute.dll won’t run without elevation.  Any recommendations on how to
get around this or possibly push the routes once during initial install
and not have to run them at connect time?



Thanks




Melvin Backus | Sr. Systems Engineer | Byers Engineering Company |
404.497.1565

Service Desk | 404-497-1599 | https://servicedesk.byers.com

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread James Rankin

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx


The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the .sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our RAS VPN connections and CMAK profiles.  
In order to make everything work we're using CMAK to build the profile which 
includes routing, etc.  We can't seem to find a way to get those to work 
without admin rights because cmroute.dll won't run without elevation.  Any 
recommendations on how to get around this or possibly push the routes once 
during initial install and not have to run them at connect time?

Thanks


Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | https://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread Melvin Backus

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our RAS VPN connections and CMAK profiles.  
In order to make everything work we're using CMAK to build the profile which 
includes routing, etc.  We can't seem to find a way to get those to work 
without admin rights because cmroute.dll won't run without elevation.  Any 
recommendations on how to get around this or possibly push the routes once 
during initial install and not have to run them at connect time?

Thanks


Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | https://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] RE: CMAK profiles without admin rights

2016-10-13 Thread James Rankin

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our RAS VPN connections and CMAK profiles.  
In order to make everything work we're using CMAK to build the profile which 
includes routing, etc.  We can't seem to find a way to get those to work 
without admin rights because cmroute.dll won't run without elevation.  Any 
recommendations on how to get around this or possibly push the routes once 
during initial install and not have to run them at connect time?

Thanks


Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | https://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] CMAK profiles without admin rights

2016-10-13 Thread Melvin Backus

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our RAS VPN connections and CMAK profiles.  
In order to make everything work we're using CMAK to build the profile which 
includes routing, etc.  We can't seem to find a way to get those to work 
without admin rights because cmroute.dll won't run without elevation.  Any 
recommendations on how to get around this or possibly push the routes once 
during initial install and not have to run them at connect time?

Thanks


Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | https://servicedesk.byers.com
--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

[NTSysADM] Free MS Press 2016 server intro book.

[NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] RE: Modified date on distribution group AD object

[NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] Modified date on distribution group AD object

RE: [NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] RE: CMAK profiles without admin rights

Re: [NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] RE: CMAK profiles without admin rights

[NTSysADM] CMAK profiles without admin rights

13 matches

Site Navigation

Mail list logo

Footer information