UAC settings can be enforced via group policy in the following area:

Computer Configuration -> Policuies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Below are the settings that simulate the 4 options on the slider bar in the GUI.
This information was submitted by Ronnie Vernon MVP, in this thread.

I am re-posting it here mainly for my own convenience in finding it again later.

Commenters on the thread report that the settings go into effect on the workstation, but do not affect the ability of the user to move the slider bar. It will move, the user will be prompted for a reboot, and the setting will be changed when they finish rebooting. Then it will be reset back to the GPO settings at the next GPO processing interval.

When I attempted to follow these directions, I found that the settings available to me in SBS 2008 were slightly different. I did not have an option for “Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries”. The closest thing was “Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent”, which set the slider at Level 4. I looked for administrative templates to update this, and did not find anything. I guess level 4 will have to do for now.

***

Admin Approval Mode for the Built-in Administrator account = Disabled

Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled

Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting

Behavior of the elevation prompt for standard users = Prompt for credentials

Detect application installations and prompt for elevation = Enabled

Only elevate executables that are signed and validated = Disabled

Only elevate UIAccess applications that are installed in secure locations = Enabled

Run all administrators in Admin Approval Mode = Disabled

Switch to the secure desktop when prompting for elevation = Disabled

Virtualize file and registry write failures to per-user locations = Enabled

———————————————

***

Admin Approval Mode for the Built-in Administrator account = Disabled

Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled

Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries

Behavior of the elevation prompt for standard users = Prompt for credentials

Detect application installations and prompt for elevation = Enabled

Only elevate executables that are signed and validated = Disabled

Only elevate UIAccess applications that are installed in secure locations = Enabled

Run all administrators in Admin Approval Mode = Enabled

Switch to the secure desktop when prompting for elevation = Disabled

Virtualize file and registry write failures to per-user locations = Enabled

——————————————-

***

Admin Approval Mode for the Built-in Administrator account = Disabled

Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled

Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries

Behavior of the elevation prompt for standard users = Prompt for credentials

Detect application installations and prompt for elevation = Enabled

Only elevate executables that are signed and validated = Disabled

Only elevate UIAccess applications that are installed in secure locations = Enabled

Run all administrators in Admin Approval Mode = Enabled

Switch to the secure desktop when prompting for elevation = Enabled

Virtualize file and registry write failures to per-user locations = Enabled

————————————————

***

Admin Approval Mode for the Built-in Administrator account = Disabled

Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled

Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent on the secure desktop

Behavior of the elevation prompt for standard users = Prompt for credentials

Detect application installations and prompt for elevation = Enabled

Only elevate executables that are signed and validated = Disabled

Only elevate UIAccess applications that are installed in secure locations = Enabled

Run all administrators in Admin Approval Mode = Enabled

Switch to the secure desktop when prompting for elevation = Enabled

Virtualize file and registry write failures to per-user locations = Enabled

Tags: GPO, Group Policy, UAC, User Account Control

I’m replacing my wife’s computer. There is a flatbed scanner attached which I use for documents that are too big for the sheetfed scanner on my own computer, documents that are bound to something, or when I want a higher quality image than the sheetfed scanner can deliver.

I decided to go ahead and give her the computer with Vista on it, because the way she uses the computer, she won’t really notice the Vista pain I feel.

Unfortunately, the flatbed scanner is an older model, for which there is no Vista driver support. The scanner is “end of life” after a few years.

After much grumbling, I bought a shiny new scanner that looks nearly identical to the old one. I decided (here goes my masochistic streak) to try installing it as a normal, non-administrative user would. I logged on with the wife’s user account and put the CD in the drive.

Thus begins my tale of woe.

Naturally, I get the UAC pop-up, and I allow it. After a couple of other prompts and an install wizard, it finishes. So far, so good. I stuffed an empty Cheetos bag onto the glass and pushed the one-touch scan button. To my amazement, the one-touch software fired right up and started scanning. It finished, then dutifully started opening the Paperport software to store the image.

Bam! Error #1. the SimpleSearch Indexer has stopped working. Problem Details: Appcrash in ssindexr.exe.
A few seconds later: Bam Bam! Error #1. The PDF Import Filter also crashed.

The Paperport Desktop opened and was completely empty.

Another try, then. I uninstalled the thing, emptied the Temp folder, deleted the Paperport folder from Program Files, and made the user account a local administrator. Also, I browsed the CD, right-clicked the setup.exe, and told it to run as administrator. Same process, same result.

OK, I figured I’d give Tech Support a bit of a hassle and call them up. They painstakingly wrote down every error and version number, and then had nothing useful to say. They wanted to put me on hold to “check my resources”. I asked if they’d like me to uninstall the program, empty the Temp folder, disable User Account Control, reboot, and try again while I was on hold. Affirmative. I should leave the scanner driver (one-touch) in there, but do the rest.

So right about the time they came back on the line, I was logging in again. I stopped to talk to them about the issue. No, there aren’t any “known issues” specific to my errors, but yes, they usually do recommend that people turn off UAC before installing (the software has no pop-ups and the docs say nothing to this effect). I should go ahead and try it again, and it should work this time.

I did. It didn’t.

I wished them good day and hung up, sensing that I had gotten as much useful information from them as I was likely to.

I cleaned it all up again, set the local administrator password, enabled the local administrator account, rebooted and logged in as Administrator, and ran through the setup again. This time the Paperport software opened without error (yay!) but the one-touch software was no longer linked into Paperport. I had to uninstall and reinstall it as well.

Finally, I was able to push that button and get a perfect scan of my Cheetos bag.

OK, time for a user profile swap! I reset my wife’s user account to a power user, turned UAC back on, rebooted, logged in as her, and the Paperport software started without error. Of course the one-touch software had lost its link with Paperport. To get THAT back, I had to uninstall one-touch and reinstall it. Then it had the link, but when I pushed the button on the scanner nothing happened. I removed the scanner from Device Manager and scanned for new hardware, which was found and installed. Then the scanner button worked, it scanned, and it even opened Paperport and delivered  - but it did NOT deliver the scanned image into the Paperport desktop.

Sigh.

I finally got this to work by setting the user account as an admin again, turning UAC off, logging in as the user account that would be using the scanner, and using the “RUNAS” command to fire up a privileged CMD instance, then changing directory to the CD drive and executing cdstart32.exe from the CMD window.

At long last, I got my Cheetos bag scanned in, while logged in as the proper user! Sing praises!

Oops, wait a second, the destination was a local My Documents folder. I couldn’t select the network drive to store the documents in during setup, because while using RUNAS, it used the local administrator account, which does not have the drive letter mapped. So I opened Paperport and used the Folder Manager to add the right one. Doesn’t work.

Sigh.

Time to log in as Administrator, map the drive letter, log back in as the user, use the RUNAS command again (Will I have to turn off UAC and reboot? Probably), uninstall and reinstall this damned thing again.

How is the average user supposed to do this? I suspect they tested this exactly one way: On a standalone PC, with UAC disabled, as a local administrator account.

I guess it’s my fault for not buying the $499 network-friendly model, right? As if its installation would not have the same issues.

Well, I won’t bore you with the rest of my battle. I’ll get there eventually.

Cheers!

Update: The software has a particular quirk. It REQUIRES that the local My Documents folder is part of the PaperPort Folders lineup in order for it to scan things into PaperPort. To clarify, I reinstalled it, and it would scan things into PaperPort, but put them in the [MyDocuments]->OneTouch Docs folder. I found the registry key for that destination end edited it, and then it would put things into the mapped network drive just fine. Then I removed the local MyDocuments from the PaperPort Folder Manager, and even though the software was set to place things in the mapped network drive, scanning to PaperPort broke.

It seems that it is not actually necessary to use the RUNAS command to install the software. At least, not after you’ve uninstalled and reinstalled eight or nine times – maybe the stuff that needs that level of security stayed in there after the first time. We all believe that their uninstaller cleans out everything it put in there, 100%, right?

Anyway, another uninstall/reinstall got back the ability to scan to a PaperPort folder, then another registry hack to make it scan to the folder I wanted it to go to, instead of the default (there was no place in the UI to set this). So I’m just going to shrink up the local documents folder tree and pretend it does not exist.

So the path to success goes like this:

1. Cut off your security at the knees by setting your user account as a local administrator and disabling UAC.
2. Install the software, leaving everything at default. It gives you the option to change the initial desktop folder during installation – don’t do it! It will break the Scan to Paperport feature.
3. Hack the registry to make the change that should totally have been included in the UI. The keys to alter are:
[HKEY_CURRENT_USER\Software\Visioneer\OneTouch 4.0\LinkManager 4.0\ScanSoft Applications]
“DefaultFolder”=”X:\YourPaperportDesktop”
[HKEY_CURRENT_USER\Software\Visioneer Backup\LinkManager 4.0\ScanSoft Applications]
“DefaultFolder”=”X:\YourPaperportDesktop”
4. Add that folder to your PaperPort Folder Manager and set it as default, but DON’T remove the local one.
5. Set your security back up the way you want it and test that it still works.

Tags: lua, One-Touch, Paperport, UAC, Visioneer