I am trying to get my head around the best approach for managing UAC. What I WANT: Regular users are not Local Admins and have somewhat elevated UAC. Special "Install" user is Local Admin but not Domain Admin, has permissions for install resources on the network, and has reduced UAC to facilitate automated installs. But, so far as I can tell you can't use Group Policy to adjust UAC on a user or group basis. Which seems daft to me. So, what is the "correct" way to manage/use UAC in the context of also installing software? Does it require some special sauce with SCCM? Can PowerShell Remote Jobs work with effectively reduced UAC such that automation can work?
Asked
Active
Viewed 207 times
0
-
UAC is a per-machine setting, not a per-user setting. You also have an X-Y problem here. You're describing all of the problems with UAC, but that's not actually your problem. What is the big picture here? What are you actually trying to accomplish? – longneck Sep 25 '18 at 14:48
-
@longneck My goal is an environment where security is accentuated and automated installs is enabled. UAC seems to be a bottleneck, because of the machine aspect. I can either have UAC provide better security, and make automated management harder, or I can have management easier with reduced security. Nice choices Microsoft leaves us, due to not thinking through their design. – Gordon Sep 25 '18 at 15:59
-
Every software distribution vendor out there (SCCM included) either runs as a System service or a domain account with admin rights on the local machine. And since it's not an interactive process, UAC doesn't even come in to play. What security problem are you trying to solve to you think they haven't thought through? – longneck Sep 25 '18 at 17:39