Hi guys,
We are at the 2008r2 forest/domain level and have an old enterprise application that is VB6, writes to the root of the C drive, and is pretty horrific from a security standpoint. That application will not work on Windows 7, unless we make all users administrators, which is not acceptable for all users(Some users are administrators). We had a developer come and spend several months changing things and we can get the application to work on Win7, but we must completely disable UAC. We cannot just block the notifications, etc. Management has made an enterprise decision to disable UAC on all computers that run this software(all workstations) and that decision is not up for debate.
I know it is normally a user setting, but I was going to use a computer GPO. That way I only have to target workstations that have the application, and no servers, etc. I can go either way, but if I target users, I have to target everyone. Here are the options I was going to use
Computer Config->Windows Settings->Security Settings->LocalPolicies/SecurityOptions->UserAccountControl->
Behavior of the elevation prompt for Administrators in Admin Approval Mode - Elevate without prompting
Detect application installations and prompt for elevation - Disabled
Run all administrators in Admin Approval Mode - Disabled
Do you guys think I should try this? or should I target all user accounts instead? Are there any non-security issues you can think of that might pop-up because of this? Like applications that were set to run in Admin mode. Is it possible that those actually start having issues, etc(basically, can any applications break from having uac disabled?)
Thanks,
Dan
Dan Heim