Vista Forums - View Single Post

permalink · 06-15-2007

Superfreak3 wrote:
> I'm working on getting our application installation ready for VISTA
> and hope I'm almost there. I just want to verify the following...
>
> from technet2.microsoft.com....
>
> Understanding and Configuring User Account Control in Windows Vista
> Migrating from the Power Users
> "UAC does not leverage the Power Users group, and the
> permissions granted to he Power Users group on Windows XP have been
> removed from Windows Vista."
>
> Does this mean that the concept of Power Users no longer exists in
> Vista at all or only that the PU concept is no longer available if UAC
> enabled?
>
> Later in this section I see "To use the Power Users group on Windows
> Vista, a new security template must be applied to change the default
> permissions on system folders and the registry to grant PU gropu
> permissions equivalent to Windows XP."
>
> The reason I pose the question is that in testing the install, it runs
> through with UAC enabled. If I disable it and try to install with a
> user I've added to the Power Users group (no new security template
> applied), I get a 1303 error indicating I don't have permissions to
> the Program Files\My App location. If I install with UAC disabled as
> an Admin, I'm OK.
>
> I thought I also read somewhere, maybe in the same document, that
> Program Files is now similar to System folders with regard to security
> now in Vista. ??
>
> A brief answer(s) is all I'm looking for here, nothing too detailed (I
> know that may be impossible with Vista.). I think I've read all the
> Microsoft 'stuff' I can at this point. My head is spinning.
>
> Any help is greatly appreciated!
>
> Thanks in advance!!
>

The "concept" of power users is gone.

However, the Power Users group still exists in Vista, but like the
document says, they are not ACL'ed access to system resources, so you
have to run the special file first to grant them extra access.

Program Files has always been "restricted" for standard users in the
manner you speak of. It is important that this be so, because if any
user and any program could just overwrite system-wide .exe's, they could
easily hijack other applications, hijack other users, and elevate their
account/program to administrator status.

Also, in order for your program to use the extra "Power Users" power,
your application must explicitly tell Windows that it wants the extra
power by including a Vista-style manifest with your application that
specifies a requestedExecutionLevel of "highestAvailable".

This will cause your program to prompt for admin power if the user is an
administrator, silently receive the extra power if the user is a power
user, and run with no extra power if the user is a standard user.

The power users "experience" is pretty broken in Vista. For example,
explorer does not ask to use the "power user" power, so power users
cannot use their extra privileges when using windows explorer.

Confused yet?

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

06-15-2007	#2 (permalink)
Jimmy Brush n/a posts	Re: VISTA and Power Users? Superfreak3 wrote: > I'm working on getting our application installation ready for VISTA > and hope I'm almost there. I just want to verify the following... > > from technet2.microsoft.com.... > > Understanding and Configuring User Account Control in Windows Vista > Migrating from the Power Users > "UAC does not leverage the Power Users group, and the > permissions granted to he Power Users group on Windows XP have been > removed from Windows Vista." > > Does this mean that the concept of Power Users no longer exists in > Vista at all or only that the PU concept is no longer available if UAC > enabled? > > Later in this section I see "To use the Power Users group on Windows > Vista, a new security template must be applied to change the default > permissions on system folders and the registry to grant PU gropu > permissions equivalent to Windows XP." > > The reason I pose the question is that in testing the install, it runs > through with UAC enabled. If I disable it and try to install with a > user I've added to the Power Users group (no new security template > applied), I get a 1303 error indicating I don't have permissions to > the Program Files\My App location. If I install with UAC disabled as > an Admin, I'm OK. > > I thought I also read somewhere, maybe in the same document, that > Program Files is now similar to System folders with regard to security > now in Vista. ?? > > A brief answer(s) is all I'm looking for here, nothing too detailed (I > know that may be impossible with Vista.). I think I've read all the > Microsoft 'stuff' I can at this point. My head is spinning. > > Any help is greatly appreciated! > > Thanks in advance!! > The "concept" of power users is gone. However, the Power Users group still exists in Vista, but like the document says, they are not ACL'ed access to system resources, so you have to run the special file first to grant them extra access. Program Files has always been "restricted" for standard users in the manner you speak of. It is important that this be so, because if any user and any program could just overwrite system-wide .exe's, they could easily hijack other applications, hijack other users, and elevate their account/program to administrator status. Also, in order for your program to use the extra "Power Users" power, your application must explicitly tell Windows that it wants the extra power by including a Vista-style manifest with your application that specifies a requestedExecutionLevel of "highestAvailable". This will cause your program to prompt for admin power if the user is an administrator, silently receive the extra power if the user is a power user, and run with no extra power if the user is a standard user. The power users "experience" is pretty broken in Vista. For example, explorer does not ask to use the "power user" power, so power users cannot use their extra privileges when using windows explorer. Confused yet? -- -JB Microsoft MVP - Windows Shell/User Windows Vista Support FAQ - http://www.jimmah.com/vista/
My System Specs