I assume you probably read this already but just in case you haven't (pulled from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )
The route table updating via Cmroute in the CMAK package requires admin privileges. Because of the introduction of UCA (user account control) in Windows Vista, you need to running CM profile with cmroute custom action from admin user (user in administrative group and with UAC disabled) or from elevated cmd. If UAC is enabled then cmroute will ask for elevation. If you do not want to receive the prompt, you may consider the following options: 1. Refer to the following KB to disable UAC for the generated CMAK package. 2. Disable UAC on all Vista clients. (not the preferred practice) How to disable the User Account Control Prompt for certain application http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a -single-application.aspx The steps to disable the User Account Control Prompt for certain application: 1) Download and install the Application Compatibility Toolkit (link below). 2) Open the Compatibility Administrator application with elevated credentials. 3) In the left hand pane, right-click on the database under Custom Databases and select Create New Application Fix 4) Enter the name and other details of the application you want to alter behavior on and then browse to it to select it. 5) Click Next until you are in the Compatibility Fixes screen. 6) To prevent being prompted to elevate an application (which means that it will always use the less privileged credential to run) place a checkmark next to RunAsInvoker. 7) Click Next and then Finish. 8) Select File and Save As. Save the file as a filename.SDB type file in a directory you will easily find it. 9) Copy the <filename>.sdb file to the Vista computer you want to alter the elevation prompt behavior on. 10) Open an elevated command prompt. 11) Run the command (without the quotes, assuming you copied the file to the Windows directory on C: "sdbinst c:\windows\<filename>.sdb" and then press enter. Microsoft Application Compatibility Toolkit 5.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0- B45E-49 2DD6DA2971&displaylang=en More info on the other options you have in altering application launch behavior are available at the URL below: Application Compatibility Feature Guide http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6 .mspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:47 To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: CMAK profiles without admin rights Budget for this is nil but I'll have a look and see. The installation of the connectoid isn't the issue, it's all runtime when the user tries to connect to the VPN. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin Sent: Thursday, October 13, 2016 7:15 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: CMAK profiles without admin rights You can use privilege management tools like AppSense Application Manager, RES, Scense and the like to configure specific files that can run with elevated rights. There's also tools like CPAU from JoeWare which can run scripts with elevated privileges so that you can get the profile build to complete maybe? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: 13 October 2016 12:05 To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] CMAK profiles without admin rights Hello folks, We've been working on removing admin rights for users in our environment. One snag we've run into is related to our RAS VPN connections and CMAK profiles. In order to make everything work we're using CMAK to build the profile which includes routing, etc. We can't seem to find a way to get those to work without admin rights because cmroute.dll won't run without elevation. Any recommendations on how to get around this or possibly push the routes once during initial install and not have to run them at connect time? Thanks -------------------- Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565 Service Desk | 404-497-1599 | https://servicedesk.byers.com -- There are 10 kinds of people in the world... those who understand binary and those who don't.