cached credentials for mapped drives and elevation

  • Thread starter Thread starter Pete Delgado
  • Start date Start date
P

Pete Delgado

I have two computers, one running Windows Vista Ultimate and the other
running Windows Vista Enterprise. The first machine is configured on our
network but is set up within a workgroup. The second machine is configured
on our network as a member of our domain. Both machines have UAC turned on.

When I map network drives to the machines everything works normally.
However, when I run a program that requires elevation via a manifest, the
network drive mappings "disappear" in the login session that is created for
the elevated process on the Vista Enterprise machine. This results in the
elevated process not being able to "see" the same environment as the user
login session when an elevated process is run on Vista Enterprise.

Is there a difference in the default group policy that would affect the
caching of network credentials in Vista Enterprise? I recall that Windows
XP Media Center had network credential cache turned off by default so I
wondered if what I am seeing is something similar.

TIA

-Pete
 
Is the account a member of the local administrators group on the Vista
Enterprise computer? If you have to enter a username and password the
elevated process runs in the context of the account that you authenticate
for the elevated process.
 
Kerry Brown said:
Is the account a member of the local administrators group on the Vista
Enterprise computer? If you have to enter a username and password the
elevated process runs in the context of the account that you authenticate
for the elevated process.

Kerry,
I am testing using two accounts on both machines. One is a member of the
local administrators group and the second is a standard user with the
addition of the privilege "Impersonate user after authentication" on the
local machine. Neither account is able to "see" the shares within the
elevated process.

When I elevate using the account that belongs to the local administrators
group I get the normal over the shoulder (OTS) elevation prompt. When I
elevate using the standard user account, I am prompted with the dialog that
allows me to either enter the account password or select another account.

Please note that the manifest states that the "highestAvailable" credentials
are required. I do not specify "requireAdministrator".

-Pete
 
I suspect the answer is in your first paragraph. One computer is joined to
the domain, one isn't.
 
Kerry Brown said:
I suspect the answer is in your first paragraph. One computer is joined to
the domain, one isn't.

I set up another test machine in a workgroup running Vista Enterprise. Same
behavior as the one connected to the domain.

-Pete
 
I don't have a copy of Vista Enterprise to test with. I have heard that the
UAC defaults are different in Enterprise. I don't know if this is true or
just a rumour. Try comparing the settings for UAC. Gpedit.msc => Computer
Configuration => Windows Settings => Security Settings => Local Policies =>
Security Options.
 
Kerry Brown said:
I don't have a copy of Vista Enterprise to test with. I have heard that the
UAC defaults are different in Enterprise. I don't know if this is true or
just a rumour. Try comparing the settings for UAC. Gpedit.msc => Computer
Configuration => Windows Settings => Security Settings => Local Policies =>
Security Options.

Kerry,
I had already look at the local system policy to see if there were
differences. Unfortunately, I couldn't find any/ I am not reinstalling all
of the versions of the Vista OS using Virtual PC in order to see if I can
duplicate the behaviour on a clean OS.

-Pete
 
Back
Top