Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Issues with admin elevation from system drive

08 Oct 2014   #1
nrhs05

Windows 7 Professional X64
 
 
Issues with admin elevation from system drive

Hey Everyone, my first time on the forums here, and hopefully i am posting in the right section!

This is going to be a bit of an in depth explanation here and i am sure i will leave stuff out that we have already tested, as i have done a fair bit of tested into what exactly is happening. Unfortunately we do not know what is causing the issue yet, which is what i am going to try and narrow down first. I will try and lay this out in as short of a way as possible so here goes.

We have a Windows 7 image that we use, and have had an issue where our main user account (which is a member of the administrators group) ends up not being able to install applications, due to what seems to be UAC not elevating. We have a second admin account we have for our own uses, and the guest/built-in administrator accouts are disabled.

  • We are running Windows 7 Professional x64 SP1
  • After an image of a machine (i think it was just sysprepped and maybe driverpacks were used) the account is fine, and it seemingly breaks "randomly" (have to narrow down when it actually happens)
  • UAC is disabled on all machines working and not working(all prompts disabled, i realize it is technically still enabled)
  • If you re-enable UAC, the installer or program will run fine with appropriate administrative rights, but if you run the application and it needs to create files to run there can be issues we run into.
  • When we run a installer or program from anywhere on the C: drive, the program will not have ANY administrative rights, it cannot create files or folders, and in a lot of cases this prevents the program from working or installing in the first place. We do not seem to have any issues with our built in applications in our image, or office for that matter. We recently ran into an issue with an adobe program not running right on effected machines.
  • We have a D: drive for temporary storage purposes, if you copy the installer to that drive it will run or install fine. For example, i ran regshot from the C: drive and it will not create any txt files it tries to create, but it will from the D:... makes no sense.
  • With UAC disabled, if you are using a program that does not have rights, and need to save a file, you can create a new folder, and you have access to save files in that specific folder.
  • We can re-create the account and it will resolve the issue, but we have a ton of custom modifications and 100s of machines so it is not really an effective solution as it will not work as indented at that point.
  • Right clicking and running as administrator does not work
  • Systems seem to boot extremely slow when loading the profile.
  • Windows Defender and Firewall has been disabled, no virus scanner installed at the point of failure (we do use symantec endpoint)
  • We have our my documents points to a network share (H: drive, and it seems to have "merged" the desktop and download folders on the user account. This is still the case on perfectly working machines though.
  • Compared all permissions, owners, inherited rights filters on all folders and they all look to be the same on a working and non working machine
  • Sometimes when logging in it will create Temporary profiles when it is unable to load our main profile but a reboot fixes that.. perhaps this where it is "corrupting", like i said more testing to do ha.


I realize a "fix" for this is most likely going to be non existant rather than recreating a profile... i am more looking for some suggestions as to where to look at where this is breaking during our setup process, and maybe the fact it only seems to not work from the C: drive might ring a bell with someone who has seen it before. Our setup process doesnt do a whole lot, aside from updating some applications and applying any new windows updates (we dont have a wsus yet lol)


I probably have any extra questions on our setup on the tip of my tongue if you have any more questions, and sorry for any poor grammar!



Thanks!


My System SpecsSystem Spec
.
14 Oct 2014   #2
nrhs05

Windows 7 Professional X64
 
 

Hey Everyone!

Just figured i would post back as to what the issue was as i THINK i just figured it out. Eventually i narrowed it down to an issue with the desktop, not necessarily the C: drive so something off in my troubleshooting there initially lol. Running the following command showed me the issue:

icacls C:\users\username\desktop

c:\users\username\desktop NT AUTHORITY\SYSTEM(OI)(CI)(F)
BUILTIN\Administrators (OI)(CI)(F)
HOME-PC\username (OI)(CI)(F)
Mandatory Label\Low Mandatory Level (OI)(CI)(NW)

Do not know how it set this low mandatory level in the first place or even what it is as it is not there on working machines, but it was preventing most files from running from the desktop. Running this commands fixed it for me:

icacls C:\users\username\desktop /setintegritylevel high
then
icacls C:\users\username\desktop /setintegritylevel low

this removed the (oi) and (ci) inheritance from them, so not sure if its actually not technically active on items on the desktop now with those settings which could explain why its working... that setting must now only be active on the desktop folder itself and not its children.... i also found a utility that removes it all together from a third party called CMHL that removed it with a command line command!

Hope this helps someone else some day down the road!
My System SpecsSystem Spec
Reply

 Issues with admin elevation from system drive




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
New restore/install, admin issues
Today I decided to wipe out my Gateway PC and do a restore/new install. The problem is, is that every time I install a program an admin window opens up and asks for a password. I never had this trouble before. I have the Admin account then my account that shows as admin when I logon, but looking...
General Discussion
Issues with hiberfil.sys / safemode / admin / et al
I just recently built this computer and was checking my harddrive last night and realized I was already at 87 gigs of 111 gigs available. This made absolutely no sense since I only have Windows 7, Nero and a copy of Skyrim installed thusfar. I started making inquiries and lo and behold I...
Performance & Maintenance
remove admin elevation for program
Hey everyone, I have a program that requires admin approval to run. However, I would like this program to be used by a power user account, instead of an admin account. I cannot have the admin elevation asking to elevate w/ password every time, as I may not be available when the user attempts...
Software
Admin/Guest Issues
Hello, Hopefully someone can help me with this. I set up a Admin account on my computer. I was able to access it, so I was using guess and remembered it when going cmd the control userpassword2 i accidently deleted the admin account at the point and now only have access to guest. how...
System Security
Issues with Admin Rights
Ok, so here's my issue. I am the admin on my laptop although some things are disabled. I bought it as a refurb with W7 HP 32bit. If I go to manage accounts and create a new account with FULL power, it already shows me as the Admin. When I go to turn on Windows Updates, it says "Some settings...
System Security
non-admin user, wireless issues
Hi, Ive just bought my daughter a new laptop which had Win7 home pre-installed. I left the default account as an administrator account, passworded and created a secondary account for her, non-passworded. Everytime we log into her account, the wireless light on the laptop seems to be...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 14:00.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App