Sunday, April 3, 2011

WADMigrator-ServerMigrator Permission Issues

Windows 7 Operating Systems - Desktop/Laptops:

Issue:
Unable to install the scheduling service client on any Windows 7 workstation within the environment. Console indicates that “the installation path cannot be determined”

Diagnosis:
Remote Registry is set to Manual and is not started
UAC is enabled on the workstations

Resolution:
Set the Remote Registry service to Automatic
Disable UAC on the Windows 7 Desktops/laptops/Tablets/Workstations.

Both Items can be modified via Active Directory Group Policy. The latter policy requires a reboot.


Windows 2008 Server’s

Issue:
Unable to install the scheduling service client on any Windows 2008 Servers within the environment. Console indicates that “the installation path cannot be determined”

Diagnosis:
UAC is not completely disabled. The following registry key has the following value set:

HKLM\Software\Microsoft\Windows\Currentversion\Policies\System\ConsentPromptBehaviorUser. This key has a value set to 1. This is not the default setting.

An explanation of this setting is as follows:

User Account Control: Behavior of the elevation prompt for standard users
The User Account Control: Behavior of the elevation prompt for standard users policy setting controls the behavior of the elevation prompt for standard users.

The options are:
Automatically deny elevation requests. When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. *****Has a value of 0 in the registry*****

Prompt for credentials on the secure desktop. (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. *****Has a value of 3 in the registry*****

Prompt for credentials. When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. *****Current Setting****** and has the value of 1

These are the available settings:

0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials on the secure desktop


Please refer to the following link: http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx#BKMK_StandardUserPromptBehavior

Resolution:
On all Windows 2008 Servers, the ConsentPromptBehaviorUser key must have a value of 3 (which is the default Windows 2008 setting). A reboot is not necessary for this change to take effect.

The above changes are mandatory and were part of the Checklist provided to the customer as part of the pre-migration checklist.

Special Thanks

A special Thanks goes to Bruno Zaffino from Compucom for his diligence and relentless effort to trouble shoot the challenges faced by the domain migration at the Government of Ontario Migration Project.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.