We have a Windows 2008R2 server that runs our build scripts.
At the moment, it is not possible to fix our scripts so that they could run without elevation. Please don't bother. It is currently more viable to risk breaking the machine or opening a security hole than to fix all the 3rd party apps the scripts are using.
I have found 2 Local Sec Policy options that I thought I might use:
User Account Control: Admin Approval Mode for the Built-in Administrator account
and
User Account Control: Run all administrators in Admin Approval Mode
The second one basically switches UAC off completely, so all admin accounts will always run anything run with full elevation. (If I understand correctly.)
The first one though got my interest: Apparently the built-in admin account has the ability (its default) to always run anything fully elevated.
Is it somehow possible to enable this setting for a domain user account, so that we can run our scripts as this user, circumventing UAC completely for the scripts, but keeping UAC for all human interaction with the server?
It sounds like the best way to handle is creating a OU for workstations, or for specific group of people, a Security group, and create a group policy that is linked to the OU or Security group. In which the only policy change would be the UAC options... Rather I should say, link it to the OU, and filter by the security group...