We have internal discussion lists in Microsoft that act as clearinghouses for technical issues or hot topics. One of the first thing a fledgling or newly assimilated Microsoftie must do is decide what discussion lists to join for their role.
I am internal “owner” of the support alias for Vista’s new User Account Control. This in itself typically doesn’t generate anything worthy of comment, but recently it did.
You may have heard rumors (probably a result of the gargantuan, all-powerful behemoth that is the Microsoft marketing division) that we are soon to do the general release of Windows Vista. As part of the gearing up for showing people how truly cool Vista is (and believe me, it is) one of the things our marketing gurus are doing is toting laptops with Vista on them in order to demonstrate the coolness factor to everyone.
But of the many machines their test folks had set up for them, one of the laptops was not working as expected. The intention was to demonstrate that, while User Account Control was created to limit the use of the “full” token (one with Administrator or other greater access), some actions were altered to make them doable with less privileges. The intention was to maintain that balance between security and going batty from clicking too many “may I use the full token/provide me a full token” prompts.
Some articles which go over UAC, and the effort to make available actions to Standard Users which do not potentially lead to vulnerabilities, are here:
Understanding and Configuring User Account Control in Windows Vista
How Windows Vista Helps Protect Computers From Malware
To get back to the story, I was contacted by one of our marketing folks. One of the laptops they were preparing to take on the road and use to show the coolness of Vista to people was giving them a problem. Oddly, only one of the laptops they had prepared was not allowing them to change the time zone, which as you can read in the articles above, was one of the actions that was altered to allow Standard Users to do it.
The marketing person was nice enough to let me remotely access and trouble shoot the problem laptop. The error given was generic, not a true “access denied” that you would normally expect. And the problem did not occur for an Administrative user. Strange.
Much of User Account Control works in new process creation; in other words, happens when you launch a program. I didn’t spend too many cycles going over it, but changing the system time did not strike me as a new process creation scenario offhand.
So I decided to take a look at the registry and file objects that were being accessed when you try to change the system time as that Standard User (Toby in UAC parlance). In Windows Vista you must use the new Sysinternals tool Process Monitor (which can do many other very cool things) to do that. That’s available here:
When monitoring the registry and file accesses as I reproduced the problem, however, no access denieds appeared at all. Perplexing. In fact, it almost instantly appeared to start processing the little .WAV file that sounds off when the error was thrown.
That seemed to me to mean that the failure is occurring prior to the registry and file access. Which means it was either UAC or some other, more elemental, security reason.
Vista has some Windows component event logs for UAC, on by default, but they showed nothing related to this since, as I had been suspecting, UAC was not coming into direct play here.
Ultimately, user rights in Windows help to govern what actions can be done by what principals within the operating system at a very granular level.
Vista defines a new user right for changing the time zone, added as part of the general “make the Standard User able to do more without elevated privileges” initiative.
By default, Vista has the local Users group there. In the marketing persons laptop instance, that local security group was missing. So, his user was rightly prevented from taking that action.
It may have been done by an app install, or manually by someone. I was not sure. This is also configurable via GPO, but that’s not likely the culprit in a computer that isn’t, and never was, joined to a domain.
It can be pretty difficult to add the BUILTIN\Users back to that setting so to save myself some time I added Toby specifically back to that user right and then rebooted.
To go to that setting on your Vista computer:
-Open an elevated GPEDIT.MSC
-Go under Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment
-The setting is "Change the time zone"
This may be a less common type of thing that you in the real world will see with Windows Vista UAC, but I encourage you to take a couple of thoughts with you from this:
-UAC, or related actions for it, doesn’t end at assessed process elevation
-Process Monitor is a good way to troubleshoot things like this, which aren’t a traditional access denied error, and seem to fall into a grey area
-Not all users need to be Admins anymore…so you may not need to use UAC day-to-day after all
Have a great day everyone!
PingBack from http://www.keyongtech.com/1673936-outlook-2003-you-do-not