User Account Control - What you need to know from a deployment perspective
I've had a couple of emails from people attempting to use their own admin accounts to carry out the build process and hitting User Account Control (UAC) issues. User Account Control is a core security feature of Windows Vista that fundamentally changes the way users will use the operating system. By default UAC helps protect against malware by running all users as Standard Users (including Administrators). When an application or user requires elevated privileges to complete a task, a consent prompt is presented to the user. The user can then subsequently (given the proper rights) elevate permissions in order for the application to complete the task. Enhancements in Windows Vista and UAC now allow Standard Users to perform more common tasks then before, opening up the possibility of removing administrative privileges from end users. The table below identifies some of the new stadard user tasks and the tasks that require admin elevation.
Standard User Tasks |
Requires Administrator Elevation |
|
Windows Vista |
Ø Establish a Local Area Network connection Ø Establish and configure a wireless connection Ø Modify Display Settings Ø Users cannot defragment the hard drive, but a service does this on their behalf Ø Play CD/DVD media (configurable with Group Policy) Ø Burn CD/DVD media (configurable with Group Policy) Ø Change the desktop background for the current user Ø Open the Date and Time Control Panel and change the time zone Ø Use Remote Desktop to connect to another computer Ø Change user's own account password Ø Configure battery power options Ø Configure Accessibility options Ø Restore user's backed-up files Ø Set-up computer synchronization with a mobile device (smart phone, laptop, or PDA) Ø Connect and configure a Bluetooth device |
Ø Install and uninstall applications Ø Install a driver for a device (E.G. a digital camera driver) Ø Install Windows updates Ø Configure Parental Controls Ø Install an ActiveX control Ø Open the Windows Firewall Control Panel Ø Change a user's account type Ø Modify UAC settings in the Security Policy Editor snap-in (secpol.msc) Ø Configure Remote Desktop access Ø Add or remove a user account Ø Copy or move files into the Program Files or Windows directory Ø Schedule Automated Tasks Ø Restore system backed-up files Ø Configure Automatic Updates Ø Browse to another user's directory |
The BDD 2007 process uses the in-built administrator account that is re-enabled by the build unattend file (shown below) that BDD 2007 generates when you set up a new build. This account is used to carry out the required tasks when Windows Vista has finished it's initial installation. This account is exempt from UAC.
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Description>EnableAdmin</Description>
<Order>1</Order>
<Path>cmd /c net user Administrator /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>EnableAdmin_ploc</Description>
<Order>2</Order>
<Path>cmd /c net user Administrator_ploc /active:yes</Path>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Description>UnfilterAdministratorToken</Description>
<Order>3</Order>
<Path>cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken /t REG_DWORD /d 0 /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
Issues arrise if you try to use your own Administrator account generated as part of the Windows Vista install process - these accounts, even though part of the local Administrators group are not exempted from UAC, so running particular tasks and scripts will cause the UAC dialogues to appear and interupt any automated process you wish to run. Always try to use the built in Administrator account for all build functions