Ah right :)

Don't know whether you'd be able to do a spot of Process Monitoring and see if 
there is a parent process (shot in dark!)?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: 13 October 2016 15:30
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I've see that, but as was pointed out it one of the articles I read, what 
executable do you assign that to? The offending process is a DLL.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:58 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: CMAK profiles without admin rights

I assume you probably read this already but just in case you haven't (pulled 
from http://www.winvistatips.com/threads/cmak-elevated-privs-for-vista.725462/ )

The route table updating via Cmroute in the CMAK package requires admin
privileges. Because of the introduction of UCA (user account control) in
Windows Vista, you need to running CM profile with cmroute custom action
from admin user (user in administrative group and with UAC disabled) or
from elevated cmd. If UAC is enabled then cmroute will ask for elevation.

If you do not want to receive the prompt, you may consider the following
options:

1. Refer to the following KB to disable UAC for the generated CMAK package.
2. Disable UAC on all Vista clients. (not the preferred practice)

How to disable the User Account Control Prompt for certain application
http://msmvps.com/blogs/xperts64/archive/2007/12/31/disable-uac-prompt-for-a
-single-application.aspx


The steps to disable the User Account Control Prompt for certain
application:

1) Download and install the Application Compatibility Toolkit (link below).
2) Open the Compatibility Administrator application with elevated
credentials.
3) In the left hand pane, right-click on the database under Custom
Databases and
select Create New Application Fix
4) Enter the name and other details of the application you want to alter
behavior
on and then browse to it to select it.
5) Click Next until you are in the Compatibility Fixes screen.
6) To prevent being prompted to elevate an application (which means that it
will
always use the less privileged credential to run) place a checkmark next to
RunAsInvoker.
7) Click Next and then Finish.
8) Select File and Save As. Save the file as a filename.SDB type file in a
directory you will easily find it.
9) Copy the <filename>.sdb file to the Vista computer you want to alter the
elevation prompt behavior on.
10) Open an elevated command prompt.
11) Run the command (without the quotes, assuming you copied the file to
the
Windows directory on C: "sdbinst c:\windows\<filename>.sdb" and then
press
enter.

Microsoft Application Compatibility Toolkit 5.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-
B45E-49
2DD6DA2971&displaylang=en

More info on the other options you have in altering application launch
behavior are
available at the URL below:

Application Compatibility Feature Guide
http://www.microsoft.com/technet/desktopdeployment/bdd/standard/AppCompact_6
.mspx

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:47
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: CMAK profiles without admin rights

Budget for this is nil but I'll have a look and see.  The installation of the 
connectoid isn't the issue, it's all runtime when the user tries to connect to 
the VPN.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Thursday, October 13, 2016 7:15 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: CMAK profiles without admin rights

You can use privilege management tools like AppSense Application Manager, RES, 
Scense and the like to configure specific files that can run with elevated 
rights.

There's also tools like CPAU from JoeWare which can run scripts with elevated 
privileges so that you can get the profile build to complete maybe?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: 13 October 2016 12:05
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] CMAK profiles without admin rights

Hello folks,

We've been working on removing admin rights for users in our environment. One 
snag we've run into is related to our RAS VPN connections and CMAK profiles.  
In order to make everything work we're using CMAK to build the profile which 
includes routing, etc.  We can't seem to find a way to get those to work 
without admin rights because cmroute.dll won't run without elevation.  Any 
recommendations on how to get around this or possibly push the routes once 
during initial install and not have to run them at connect time?

Thanks

--------------------
Melvin Backus | Sr. Systems Engineer | Byers Engineering Company | 404.497.1565
Service Desk | 404-497-1599 | https://servicedesk.byers.com
--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.


Reply via email to