cached credentials for mapped drives and elevation

I have two computers, one running Windows Vista Ultimate and the other
running Windows Vista Enterprise. The first machine is configured on our
network but is set up within a workgroup. The second machine is configured
on our network as a member of our domain. Both machines have UAC turned on.

When I map network drives to the machines everything works normally.
However, when I run a program that requires elevation via a manifest, the
network drive mappings "disappear" in the login session that is created for
the elevated process on the Vista Enterprise machine. This results in the
elevated process not being able to "see" the same environment as the user
login session when an elevated process is run on Vista Enterprise.

Is there a difference in the default group policy that would affect the
caching of network credentials in Vista Enterprise? I recall that Windows
XP Media Center had network credential cache turned off by default so I
wondered if what I am seeing is something similar.

TIA

-Pete

Is the account a member of the local administrators group on the Vista
Enterprise computer? If you have to enter a username and password the
elevated process runs in the context of the account that you authenticate
for the elevated process.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Pete Delgado" <Peter.Delgado@noads.net> wrote in message
news:Our0yyuzHHA.1184@TK2MSFTNGP04.phx.gbl...
>I have two computers, one running Windows Vista Ultimate and the other
>running Windows Vista Enterprise. The first machine is configured on our
>network but is set up within a workgroup. The second machine is configured
>on our network as a member of our domain. Both machines have UAC turned on.
>
> When I map network drives to the machines everything works normally.
> However, when I run a program that requires elevation via a manifest, the
> network drive mappings "disappear" in the login session that is created
> for the elevated process on the Vista Enterprise machine. This results in
> the elevated process not being able to "see" the same environment as the
> user login session when an elevated process is run on Vista Enterprise.
>
> Is there a difference in the default group policy that would affect the
> caching of network credentials in Vista Enterprise? I recall that Windows
> XP Media Center had network credential cache turned off by default so I
> wondered if what I am seeing is something similar.
>
> TIA
>
> -Pete
>

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:C020B2C2-E742-4E51-94C8-747EC69902E0@microsoft.com...
> Is the account a member of the local administrators group on the Vista
> Enterprise computer? If you have to enter a username and password the
> elevated process runs in the context of the account that you authenticate
> for the elevated process.

Kerry,
I am testing using two accounts on both machines. One is a member of the
local administrators group and the second is a standard user with the
addition of the privilege "Impersonate user after authentication" on the
local machine. Neither account is able to "see" the shares within the
elevated process.

When I elevate using the account that belongs to the local administrators
group I get the normal over the shoulder (OTS) elevation prompt. When I
elevate using the standard user account, I am prompted with the dialog that
allows me to either enter the account password or select another account.

Please note that the manifest states that the "highestAvailable" credentials
are required. I do not specify "requireAdministrator".

-Pete




> "Pete Delgado" <Peter.Delgado@noads.net> wrote in message
> news:Our0yyuzHHA.1184@TK2MSFTNGP04.phx.gbl...
>>I have two computers, one running Windows Vista Ultimate and the other
>>running Windows Vista Enterprise. The first machine is configured on our
>>network but is set up within a workgroup. The second machine is
>>configured on our network as a member of our domain. Both machines have
>>UAC turned on.
>>
>> When I map network drives to the machines everything works normally.
>> However, when I run a program that requires elevation via a manifest, the
>> network drive mappings "disappear" in the login session that is created
>> for the elevated process on the Vista Enterprise machine. This results in
>> the elevated process not being able to "see" the same environment as the
>> user login session when an elevated process is run on Vista Enterprise.
>>
>> Is there a difference in the default group policy that would affect the
>> caching of network credentials in Vista Enterprise? I recall that
>> Windows XP Media Center had network credential cache turned off by
>> default so I wondered if what I am seeing is something similar.
>>
>> TIA
>>
>> -Pete
>>
>

I suspect the answer is in your first paragraph. One computer is joined to
the domain, one isn't.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Pete Delgado" <Peter.Delgado@noads.net> wrote in message
news:uQ%23PRM6zHHA.4824@TK2MSFTNGP02.phx.gbl...
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:C020B2C2-E742-4E51-94C8-747EC69902E0@microsoft.com...
>> Is the account a member of the local administrators group on the Vista
>> Enterprise computer? If you have to enter a username and password the
>> elevated process runs in the context of the account that you authenticate
>> for the elevated process.
>
> Kerry,
> I am testing using two accounts on both machines. One is a member of the
> local administrators group and the second is a standard user with the
> addition of the privilege "Impersonate user after authentication" on the
> local machine. Neither account is able to "see" the shares within the
> elevated process.
>
> When I elevate using the account that belongs to the local administrators
> group I get the normal over the shoulder (OTS) elevation prompt. When I
> elevate using the standard user account, I am prompted with the dialog
> that allows me to either enter the account password or select another
> account.
>
> Please note that the manifest states that the "highestAvailable"
> credentials are required. I do not specify "requireAdministrator".
>
> -Pete
>
>
>
>
>> "Pete Delgado" <Peter.Delgado@noads.net> wrote in message
>> news:Our0yyuzHHA.1184@TK2MSFTNGP04.phx.gbl...
>>>I have two computers, one running Windows Vista Ultimate and the other
>>>running Windows Vista Enterprise. The first machine is configured on our
>>>network but is set up within a workgroup. The second machine is
>>>configured on our network as a member of our domain. Both machines have
>>>UAC turned on.
>>>
>>> When I map network drives to the machines everything works normally.
>>> However, when I run a program that requires elevation via a manifest,
>>> the network drive mappings "disappear" in the login session that is
>>> created for the elevated process on the Vista Enterprise machine. This
>>> results in the elevated process not being able to "see" the same
>>> environment as the user login session when an elevated process is run on
>>> Vista Enterprise.
>>>
>>> Is there a difference in the default group policy that would affect the
>>> caching of network credentials in Vista Enterprise? I recall that
>>> Windows XP Media Center had network credential cache turned off by
>>> default so I wondered if what I am seeing is something similar.
>>>
>>> TIA
>>>
>>> -Pete
>>>
>>
>
>

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:42846B54-A4AA-495D-B2C5-098B80102628@microsoft.com...
>I suspect the answer is in your first paragraph. One computer is joined to
>the domain, one isn't.

I set up another test machine in a workgroup running Vista Enterprise. Same
behavior as the one connected to the domain.

-Pete

I don't have a copy of Vista Enterprise to test with. I have heard that the
UAC defaults are different in Enterprise. I don't know if this is true or
just a rumour. Try comparing the settings for UAC. Gpedit.msc => Computer
Configuration => Windows Settings => Security Settings => Local Policies =>
Security Options.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Pete Delgado" <Peter.Delgado@noads.net> wrote in message
news:%23$8UdNR1HHA.600@TK2MSFTNGP05.phx.gbl...
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:42846B54-A4AA-495D-B2C5-098B80102628@microsoft.com...
>>I suspect the answer is in your first paragraph. One computer is joined to
>>the domain, one isn't.
>
> I set up another test machine in a workgroup running Vista Enterprise.
> Same behavior as the one connected to the domain.
>
> -Pete
>

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:6D1F9286-7E9F-493B-ACA1-122574F65308@microsoft.com...
>I don't have a copy of Vista Enterprise to test with. I have heard that the
>UAC defaults are different in Enterprise. I don't know if this is true or
>just a rumour. Try comparing the settings for UAC. Gpedit.msc => Computer
>Configuration => Windows Settings => Security Settings => Local Policies =>
>Security Options.

Kerry,
I had already look at the local system policy to see if there were
differences. Unfortunately, I couldn't find any/ I am not reinstalling all
of the versions of the Vista OS using Virtual PC in order to see if I can
duplicate the behaviour on a clean OS.

-Pete