UAC Elevation in Vista

Anyone know anything about the subject of elevating past UAC in Vista?

Yeah, I should ask my coworkers, except... I don't work at the Evil Empire any more, I'm now at a place called NetMotion Wireless. Anyhow...

I've got a situation where a bug repros on one vista machine but not on another vista machine. We think we've got them configured pretty similarly, but they behave differently one crucial way that we *must* nail down in order to prevent a bug in our software.

I am going to attach two pictures of elevation prompts, one that I will consider "bad" and one that I will consider "good". I'll attach them and then continue my question in another post...

On the machine I'm testing this on, I get the "Bad" one when I try to elevate CMD.EXE, but I get the "Good" one when I try to right click on My Computer and hit "Manage".

I can also make the "Good" one appear every time if I log into the computer as a user in the local user's group as opposed to a user in the Doman Users group. But we want the "good" behavior every time. And anyway, I've got another machine here that gets the "good" behavior every time, regardless of whether it's a domain user or a local user.

See, the problem with the "BAD" box is this: You can get past it by entering cheap credentials. Credentials of just a joe-user-guy. It returns, making the calling application think that the guy entered proper admininstrator credentials. But he didn't.

I can even fool Windows itself with this one. If I try to elevate "Command Prompt", and I get the "Bad" Box, and I enter joe-user credential instead of admin credentials, IT LETS ME, and it even says "Admininstrator" at the top of the box as if I'd really elevated. But I haven't, and I find that out the hard way when I try to do anything administrator-like from within that box, it keeps giving me "access denied" errors.

The "good" box is different. It won't let you past it unless you truly enter some admininstrator credentials. When you come out of that box, if you didn't really and truly elevate, you get an error message saying "this requires elevation <OK>" and whatever called it, fails out. As it should.

Does anyone have any idea what governs which of the two boxes is the one that's going to appear?

I have nothing helpful to offer. I just come here to express my utter disdain for UAC. It is a pox on humanity and a powerful ally in the battle against productive computing.

I'm sure you've checked this, but I would suspect computer membership in the domain. Has the computer bee joined to the domain properly? Maybe try removing it and re-adding?

I think the difference is that the logged in users have different accounts. Admins get a different prompt than restricted users.

Compare the account types/permissions of the logged in user of each machine.

That's a good thought. The computer is definitely a member of the domain, and it can communicate with the domain controller because (with proper elevation) I can execute commands that require domain membership, such as NET LOCALGROUP groupname domain\user /ADD and they work.

However, the machine is a VM image which gets restored from a standard VMWare restore point, and it's very possible that the domain membership goes a bit wonky in those cases. I'll try refreshing its domain membership and see if that fixes it.

Admins get no login box at all. Admins get a "Continue" button and that's all. So that's not it.

The users are (as far as I can tell anyway) identical in terms of their permissions. In both cases, they are members of the "Domain Users" group only.

Nope. Joined it to a whole new domain and back again, same results with that user....

The more I mess with this, the more it looks like some kind of strange quirk with that particular user account and profile.

The user account was once an administrator of that machine, and was later removed from the administrator's group. Perhaps that is the reason it's behaving that way.