I have a network which I am managing using System Center Essentials 2007. For the size network I have, it does the job adequately enough. However, there is one little nit-picky thing I am trying to work around...
I can publish applications to "Add/Remove Programs" in XP just fine and they also show up on my Vista clients. However, when I attempt to install an advertised program from Vista, the UAC will pop up and ask me for the Domain Administrator's password.
I figured since the Domain Administrator made the application available via the Add/Remove Programs feature that it should be automatically allowed. IMO, it is an "approved" program and it should simply be installed, as the installation is a push that I specifically configured for the network -- no questions asked.
Has anyone else run into this? Are there any workarounds beyond "disabling UAC"?
...
A bit more detailed information:
1) It's not the installer for the specific program that causes the UAC prompt, it is actually "Windows Update Published Application Installer". This is the program that actually brings up the "Windows Update" style interface that tells you it's downloading the package, installing it, etc.
2) System Center Essentials actually takes whatever file you give it and (optionally) any files and directories with that file and creates it's own CAB file. The Windows Update engine downloads this file from the SCE server and runs it (which in turn runs the installation package).
It is my feeling that it is not specific to the application installer running, but the component that actually handles the orchestration of the installation event -- this "Windows Update Published Application Installer".
Disabling UAC is by far the simplest solution although if your users have already gotten used to it it would be a pity to just throw it away, for all it's flaws it does add to the overall resilience of your environment.
There is a lot of detail on how to configure your environment so that this doesn't happen in this Microsoft Technet article : Understanding and Configuring User Account Control in Windows Vista. It's quite long but the relevant parts are about two thirds of the way through where they discuss using software distribution issues.
Actually I experienced something like this as early as XP SP2. What happens is that when a program is run locally (on the local file system), it is presumed safe enough, whereas a program that is run from the network (whether LAN, or Internet is irrelevant), it is considered potentially harmful, and thus prompts you again.
I first noticed it when I tried to run apps in a VM: when I ran them from the virtual HD, they ran without prompting, but when I tried to run them from the UNC-mapped shared folder, I would get prompted.
Vista just has that extra layer of protection (the UAC where XP SP2+ has a simple Run?Yes/No prompt).
What you may want to try is the Security Zones. I don’t know if Vista/IE8 still uses Zones, but you can see if adding the location of the file to the Trusted Sites zone will get Vista to shut up and trust it. (The Trusted Sites zone defaults to a higher security setting than the Local Intranets zone.)
This happens because - so far as Vista is concerned - the network isn't a trusted location. You'll see the same with logon scripts running under Vista, and you'll see the same on XP when running .NET framework exes from a network location.
I could go off on a rant here about how Vista isn't really properly designed for use in corporate networks, but I won't.