06 Sep 2011

UAC prompts when running scripts which perform high privileged operations, even if you are a local administrator

Imagine this:

You have a 2008 R2 RDS host or a Win7 client machine and a logon script which want’s to copy some files, (templates) in my case, to C:\ProgramData, a UAC protected folder. UAC will prompt you (if UAC is enabled of course) even if you are member of the local administrators group. Well, there are solutions, but assigning Domain Admin permissions the executive account is not acceptable IMHO. I found some badly documented hacks arount the AppCompat Tool. The easiest way to get rid of this is to set the “__COMPAT_LAYER” environment variable. (yes these are TWO underscore characters.

So just set the value of this varianle to set “RunAsInvoker” before you start something that tries to execute a UAC protected executable or tries to write to a UAC protected folder.


set __COMPAT_LAYER=RunAsInvoker
robocopy \\%logonserver%\netlogon\templates %ProgramData%\CompanyTemplates /S /E

This works also for Appsense EM actions, where you specify the executing user (which has to be a local admin of course or having apropriate access rights)