Attix5 Pro FAQ
Search:     Advanced search

User Account Control Whitelisting

Article ID: 54
Last updated: 21 May, 2013
Background
User Account Control is a feature of Windows Vista and Windows 7 that prompts the user for permission to continue as the software may change settings on the system.
On Windows 7, Attix5 triggers UAC prompts.

UAC is not always a popular feature, and administrators and users alike often seek to minimise its impact.
There are several ways this is commonly done:
  • Turning off UAC completely
  • Configuring the compatibility mode of each affected executable to run with administrative privileges
  • Setting operating system compatibility for each affected executable
  • Granting users administrative privileges
Some of the above measures may compromise security policy, and may not be acceptable for an organisation seeking to use Attix5.
UAC whitelisting offers an alternative, allowing Attix5 to be run without prompts and does not require administrative privileges.
Requirements
You will need to download and install the Microsoft Application Compatibility Toolkit, available here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971&displaylang=en
There are both 32 and 64-bit versions of this which are required for the appropriate Operating System.
Configuration
  1. As Administrator, start the “Compatibility Administrator” application.
    When started, this should automatically open a New Database.

    Note: If editing an existing database, open the existing .sdb file and proceed as normal.
  2. Right click and navigate to Create New > Application Fix. This will launch a wizard.


  3. Enter the name of the program, Attix5 as the vendor, and enter or browse to find the program file path (this case the A5Tray.exe located in the Backup Client SE folder) . For the program name, it is recommended to enter the application version so that versions can be tracked easily. Click Next.


  4. On the Compatibility Modes page, check the RunAsInvoker checkbox and click Next.


  5. Nothing needs to be checked on “Compatibility Fixes”, click Next.
  6. On the Matching Information page, the following options will be automatically checked:
    • BIN_FILE_VERSION
    • BIN_PRODUCT_VERSION
    • PRODUCT_VERSION
    • COMPANY_NAME
    • PRODUCT_NAME
    • FILE_VERSION



    Note: Unchecking all the options apart from COMPANY_NAME and PRODUCT_NAME
  7. Repeat steps 1 - 6 for A5Loader / SERunner or all other appropriate executables.
  8. Using Save As in the file menu, save the database to an administrator accessible location as a .sdb file.
  9. From an Administrator command prompt, navigate to the filepath where the sdb is saved and run the command “sdbinst ”.



    Note: If the sdb has already been installed, you will be prompted to update it. Answer “Yes”.

  10. After the database has been installed, log off as administrator and in as a user. UAC alerts should no longer be triggered.

    Note: As usual, users will still need write permission to the Attix5 installation directory and any working directories that have been configured. Also note that if the system tray application does not launch automatically at startup for users, you should check in Windows Task Scheduler and ensure that “When running the task use the following account” is set to “Users”.
Updates
If you do find that an updated client is being caught by UAC, this can be rectified by editing the existing database.
As administrator, open the database and add the updated executables using the same procedure as before.
By including their versions within the “name” field, it is possible to add multiple versions of the application to the UAC whitelist. This can allow for an upgrade path, where different client versions have been whitelisted in advance and so should not trigger UAC alerts.
Deployment
To minimise administrative overhead, it is possible to copy the sdb file from one machine to another, and install it with just the “sdbinst” command. The Compatibility Toolkit installation is not required. Tools such as Group Policy can be used to push sdbs out to an Active Directory environment. See Microsoft’s Technet for more details: http://technet.microsoft.com/es-es/library/cc739954%28WS.10%29.aspx

Alternative to creating an MSI package, you can create a NETLOGON script that maps a share on your network containing the SDB files and use the same NETLOGON script to install the databases. See example below;

Configuration

  1. Create a network share called “Account Control” and ensure that everyone has full access to it
  2. Copy the .SDB files created from the Attix5 FAQ above into the network share
  3. Create a DOS Script that maps the network share and installs the databases and save the file as a .cmd file
  4. The script should look similar to this:

    Net use  S: \\FileServer\AccountControl
    Cd\
    S:
    Sdbinst uac-whitelist32bit.sdb
    Sdbinst uac-whitelist64bit.sdb”

    S – This is the available drive letter you want to assign to the network share.
    FileServer – The name of the server which contains the network shared create in Step 1.
    AccountControl – The name of the actual network share
    Uac-whitelist32bit and 64bit.sdb are the database names specified when creating the SDB files.

    The recommended deployment model is to install and test UAC on a “pilot” machine, adding each new version of the Attix5 Client to the database as it becomes available. This database can then be pushed out to clients and installed or

Article ID: 54
Last updated: 21 May, 2013
Revision: 2
Views: 6931
Comments: 0
Posted: 11 Feb, 2011 by Van Rensburg J.
Updated: 21 May, 2013 by Van Rensburg J.
This article was:  
Prev   Next
Article 52 - Error on SP: Unhandled error in BinaryRequest: Invalid salt...     Article 39 - Controlling the runaway cache on Windows Server 2008