Solved Issues with admin elevation from system drive

N

nrhs05

New member
Local time
9:39 AM
Messages
3
Hey Everyone, my first time on the forums here, and hopefully i am posting in the right section!

This is going to be a bit of an in depth explanation here and i am sure i will leave stuff out that we have already tested, as i have done a fair bit of tested into what exactly is happening. Unfortunately we do not know what is causing the issue yet, which is what i am going to try and narrow down first. I will try and lay this out in as short of a way as possible so here goes.

We have a Windows 7 image that we use, and have had an issue where our main user account (which is a member of the administrators group) ends up not being able to install applications, due to what seems to be UAC not elevating. We have a second admin account we have for our own uses, and the guest/built-in administrator accouts are disabled.


  • We are running Windows 7 Professional x64 SP1
  • After an image of a machine (i think it was just sysprepped and maybe driverpacks were used) the account is fine, and it seemingly breaks "randomly" (have to narrow down when it actually happens)
  • UAC is disabled on all machines working and not working(all prompts disabled, i realize it is technically still enabled)
  • If you re-enable UAC, the installer or program will run fine with appropriate administrative rights, but if you run the application and it needs to create files to run there can be issues we run into.
  • When we run a installer or program from anywhere on the C: drive, the program will not have ANY administrative rights, it cannot create files or folders, and in a lot of cases this prevents the program from working or installing in the first place. We do not seem to have any issues with our built in applications in our image, or office for that matter. We recently ran into an issue with an adobe program not running right on effected machines.
  • We have a D: drive for temporary storage purposes, if you copy the installer to that drive it will run or install fine. For example, i ran regshot from the C: drive and it will not create any txt files it tries to create, but it will from the D:... makes no sense.
  • With UAC disabled, if you are using a program that does not have rights, and need to save a file, you can create a new folder, and you have access to save files in that specific folder.
  • We can re-create the account and it will resolve the issue, but we have a ton of custom modifications and 100s of machines so it is not really an effective solution as it will not work as indented at that point.
  • Right clicking and running as administrator does not work
  • Systems seem to boot extremely slow when loading the profile.
  • Windows Defender and Firewall has been disabled, no virus scanner installed at the point of failure (we do use symantec endpoint)
  • We have our my documents points to a network share (H: drive, and it seems to have "merged" the desktop and download folders on the user account. This is still the case on perfectly working machines though.
  • Compared all permissions, owners, inherited rights filters on all folders and they all look to be the same on a working and non working machine
  • Sometimes when logging in it will create Temporary profiles when it is unable to load our main profile but a reboot fixes that.. perhaps this where it is "corrupting", like i said more testing to do ha.


I realize a "fix" for this is most likely going to be non existant rather than recreating a profile... i am more looking for some suggestions as to where to look at where this is breaking during our setup process, and maybe the fact it only seems to not work from the C: drive might ring a bell with someone who has seen it before. Our setup process doesnt do a whole lot, aside from updating some applications and applying any new windows updates (we dont have a wsus yet lol)


I probably have any extra questions on our setup on the tip of my tongue if you have any more questions, and sorry for any poor grammar!



Thanks!
 

My Computer

Computer type
PC/Desktop
OS
Windows 7 Professional X64
Hey Everyone!

Just figured i would post back as to what the issue was as i THINK i just figured it out. Eventually i narrowed it down to an issue with the desktop, not necessarily the C: drive so something off in my troubleshooting there initially lol. Running the following command showed me the issue:

icacls C:\users\username\desktop

c:\users\username\desktop NT AUTHORITY\SYSTEM(OI)(CI)(F)
BUILTIN\Administrators (OI)(CI)(F)
HOME-PC\username (OI)(CI)(F)
Mandatory Label\Low Mandatory Level (OI)(CI)(NW)

Do not know how it set this low mandatory level in the first place or even what it is as it is not there on working machines, but it was preventing most files from running from the desktop. Running this commands fixed it for me:

icacls C:\users\username\desktop /setintegritylevel high
then
icacls C:\users\username\desktop /setintegritylevel low

this removed the (oi) and (ci) inheritance from them, so not sure if its actually not technically active on items on the desktop now with those settings which could explain why its working... that setting must now only be active on the desktop folder itself and not its children.... i also found a utility that removes it all together from a third party called CMHL that removed it with a command line command!

Hope this helps someone else some day down the road!
 

My Computer

Computer type
PC/Desktop
OS
Windows 7 Professional X64
You must log in or register to reply here.

Similar threads

Cannot run as program as Admin?
Replies
2
Views
998
GRoston
GRoston
Copying from Win 7 to external drive - "some file paths too long"
Replies
1
Views
587
townsbg
townsbg
Help with Win 7 on Dell Optiplex 7050
Replies
3
Views
1K
AndrewSummers
A
System Reboots after "Starting Windows" screen, self repair ain't work
Replies
3
Views
3K
Ginger FeCr
Ginger FeCr
Can I view laptop's data on another screen ?
Replies
4
Views
358
townsbg
townsbg
Back
Top