We have a C# Windows Forms client application. This application occasionally needs to check for updates to itself from a trusted internal web site, download them, install them, and restart itself.
To make the application compatible with User Account Control (UAC), we embedded a manifest in the .exe that requests the highest available privileges:
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
We want standard (non-administrator) users to be able to run the application without being prompted to elevate to administrator. We gave standard users full permissions to the entire application folder. This means the user has the power to mess with the software files, but that is acceptable.
The users have been working with this application on Windows 7, Windows 8, and Windows 8.1 for a while with UAC fully enabled. On these operating systems, when our application is launched, Windows does not prompt the user to elevate to administrator privileges.
We are now testing behavior on Windows 10. On a Windows 10 system, with full UAC enabled, Windows is prompting standard users to elevate to administrator. Nothing else has changed. The .EXE is the same, and the embedded manifest is the same requested execution level highestAvailable.
We have tested this with the client files in C:\Program Files and in C:\Users\Public. Both locations have the same behavior.
Why is the UAC elevation behavior different on Windows 10? Is the behavior on prior versions a bug in UAC? Should it have been prompting to elevate all along?
Note that we must keep UAC enabled. I am aware of how to disable it.
Also note that I have tested changing the manifest to requestedExecutionLevel of asInvoker. This is not prompting for elevation on Windows 10.
-- UPDATE --
We have tracked the elevation prompting to a difference between local users and domain users. This MSDN article says:
Application launch behavior for a standard user with additional privileges (E.G. Backup Operator)...[will] prompt for credentials before running the application
We are seeing local standard users not prompted for elevation, but local domain users are prompted for elevation. The only privileges the domain user has over the limited user is being a member of the Domain Users role.
You miss understand highestAvailable. This means request the full admin token if your account is part of the admin group, but for normal standard users no UAC dialog is shown and the process runs with the standard token.
If your program requires admin rights to function then you need to use requireAdministrator in the manifest. When a standard user starts such a process, the over-the-shoulder UAC dialog is shown, where the user can enter credentials of an admin account.
Related
edit
I also have the same problem as an admin on a domain
I just installed SSRS locally on a machine for and I cannot access the reports I deployed. Everything was installed as admin
when going to the web portal I get this massage
Could not load folder contents
You are not allowed to view this folder. Contact your administrator to obtain the necessary permissions.
and when trying to access the web service via the config manager I get this one:
The permissions granted to user <username> are insufficient for performing this operation. (rsAccessDenied)
Additionally in the web portal I got no "manage" folder and only "my subscriptions" under the settings button .
Everything is running locally and as admin, the OS is windows 11 and the SSRS is version 15.0.1102.1002 and running in native mode.
I've looked all over the place and found out something about certificates, but almost everything in google is about access problems via remote server.
adding the URL to the trusted sites didn't help
it certainly look like you don't have permission. Are you administrator? When you were installing did you set up some users to be administrators?
Find which account is administrator and then add yourself from the SSRS site. Is there another account you can run or Run as administrator?
Another way to install again.
If you decide to install again pay attention on the page with the users.
After a fresh install of SQL Server 2012 Developer on my Windows 7 machine, I configure SSRS. Then, in IE (version 11), I try to access the SSRS server at http://(servername)/Reports. Windows asks for my username and password. Odd, because I'm an administrator. So I enter my username and password and I get this reply:
User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
Researching the issue, I come across a number of answers, including:
Reporting Services permissions on SQL Server R2 SSRS
SSRS 2008: User Does Not Have Required Permissions
The answers to these questions are similar:
Run IE as an administrator
Add the SSRS URL to Trusted Sites in Security tab of Internet Options
Retry SSRS URL
On success, add your user to Site Settings and Folder Settings with the appropriate permissions.
You should then be able to access SSRS without running IE as administrator
Additional workarounds include disabling UAC and repeating the steps above.
Running IE as an administrator did not work. At step 3. I got the same response as above and was never able to get to the SSRS home page.
Before disabling UAC, are there any other workarounds?
The workaround I found is from Peter O’Gorman's blog entry.
The steps above are the same, except add the URL to Local Intranet, not Trusted Sites:
Run IE as an administrator
Add the SSRS URL to Local Intranet in Security tab of Internet Options
Retry SSRS URL
On success, add your user to Site Settings and Folder Settings with the appropriate permissions.
You should then be able to access SSRS without running IE as administrator
To my pleasant surprise, this worked like a charm. Thanks Peter!
Run IE as an administrator - not Chrome. I swear I tried this before with no joy.
I don't understand why not Chrome and why administrator. Maybe Chrome somehow dismisses the elevated permissions. How does the rsManager know at what level the browser is running anyway?
Microsoft SQL Server Management Studio 12.0.2000.8
Microsoft Analysis Services Client Tools 12.0.2000.8
Microsoft Data Access Components (MDAC) 6.3.9600.16384
Microsoft MSXML 3.0 5.0 6.0
Microsoft Internet Explorer 9.11.9600.17498
Microsoft .NET Framework 4.0.30319.34209
Operating System 6.3.9600
Chrome Version 39.0.2171.95 m
Same steps as Glenn mentioned previously. I also had to add user to role in two different spots once I was able to access SQL Server Reporting Services - Home. In Folder setting -> security -> new role assignment and site settings -> security -> new role assignment. I added my user as well.
http://techasp.blogspot.com/2013/06/how-to-fix-reporting-services.html
This works for Reporting Services 2008 onwards
This one has been bugging me for a while, some users have access to the report server others get this error message. While trying to resolve it with a system administrator I came across this post from microsoft support
For users to navigate to a particular folder, they must have Browser role on
all folders starting at the root folder (the folder named "/" in the
item path or "Home" in Report Manager). So you will need to grant
those permissions explicitly. By default, permissions are inherited
from the parent folder. If there are any breaks in the inheritance,
you will need to set those permission explicitly.
What we did as a administrator users, was to navigate to Reports page, then folder settings and grant the user that does not have permissions Browser rights to the folder. Use could then navigate to the home page and work their way down the tree. the sys admin hadn't granted access to the user at the home level just on the folders and reports that have access to.
Been trying to get SSRS reporting service set up for a while now, and been stuck on the issue with UAC.
After setting up the Reporting Service Configuration Manager settings, with service account using my PC's login account, Database using ReportServer$SQLEXPRESS, etc. when launching the server # 127.0.0.1/Reports it directs me to 127.0.0.1/Reports/Pages/Folder.aspx and then after login with my PC's login this is what I get on my browser -
"User 'OCTETHP\Support' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed."
And I have done my researches online, I turned off UAC, I am on the administrator account, and I also tried to run the browser with right click to run as administrator option on both chrome and IE. Still does not solve this problem. Could anyone help me out with this??
I am currently running on windows 8.1. Thanks so much!
It is likely the problem is with the account the reporting server is running under (OCTETHP\Support). You may need to add this user to the web user group (IIS_WPG depending on your OS version). If that doesn't work, you can set the user to be a local administrator and work the permissions back from there.
If you want to run the reporting services from another account you'd want to follow these steps:
Open IIS Manager
Under websites locate the SSRS website (/Reports in your case)
In basic properties check the App Pool the site is running under
Go to the App Pools section of IIS and open the advanced properties
Setup the user that the App Pool runs under
You'll need to make sure the user is assigned to the web user group, and has permissions to access the folder that the website points to.
While i am inserting this permission in manifest it shows error " Permission is only granted to system apps"
Actually i used this permission for developing application based on Oauth2 token. But i cant enable this permission. Can any Help me?
MODIFY_PHONE_STATE permission is granted to system apps only.
For your information, there are 2 types of Android apps: system & user
User apps are just all your normal app installations through the Google Play Store, Amazon Appstore or sideloading. These go into the
/data partition of your Android phone, which is the part of the
internal memory made available for user data and apps.
System apps are basically the apps that come pre-installed with your ROM. In a standard Android user environment, the user doesn’t
have write access to the /system partition and thus, installing or
uninstalling system apps directly isn’t possible.
In order to install an app as a system app on your Android device,
your device must either be rooted or have a custom recovery installed (or both).
That being said, that error is actually wrong because you have a valid code and compilation should work. It would be better if it gave a warning instead. In Eclipse you can easily fix it. Just go to:
Window -> Preferences -> Android -> Lint Error Checking.
Find ProtectedPermission from the list and set the severity to something other than error(info for example). This way your project will still compile.
I am having some issues setting up Reporting Server. I can open http://localhost/reports only when I run Internet Explorer as administrator. When I try to open it from another server, logging in with the same user as the service account, I get prompted for credentials before it proceeds. What settings do I need to check\change to allow me to open the reports home page without having to open IE as administrator locally or having to enter my username and password from a remote connection? Here is the error I am receiving if I open IE not as admin.
User 'DOMAIN\USER' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
Connect to SSRS Report Manager (/reports) as admin, then check what you see when you click on the Folder Settings. This should give you the security settings for the root folder. Make sure that your account is included here, whether by AD group or individually. Content Manager is the most permissive setting.
In addition to checking the Home folder security settings as #Jamie-F pointed out, check the "Site Settings", "Security" as well and make sure the user or group is there.