Trouble with UAC

 
 
By Andrew Garcia  |  Posted 2010-05-11 Email Print this article Print
 
 
 
 
 
 
 


 

I was disappointed to find that Mobile Admin did not allow me to perform VMotion migrations of VMs between host servers. However, Rove officials state that is a commonly requested feature that they are working to add.

Rove designed Mobile Admin to connect and manage backend servers without requiring an agent on the managed hosts, instead using existing interfaces and APIs to foster the connection to the Mobile Admin server. However, administrators may need to install new software or change server configurations to enable these connections, mitigating the light touch on the server infrastructure promised by Mobile Admin.

To manage several resources, I needed to install components directly onto our Mobile Admin server. For instance, to manage our VMWare 4.0 infrastructure, I needed to install both the VMware vSphere PowerCLI and PowerShell (as I installed Mobile Admin on Windows Server 2003, for which PowerShell is a separate installation). Or to manage Exchange 2003, I needed to install the Exchange System Management Tools and its prerequisites on the Mobile Admin server.

In other cases, changes were needed on the managed servers. For instance, to manage our BES 5.0 infrastructure via Mobile Admin, I needed to ensure the BlackBerry Administration API was installed on the BES servers (or the BlackBerry Enterprise Resource Kit for BES 4.x instances). While the API is included with BES 5.0 Service Pack 1, unpatched BES installations need the API installed separately.  Also, the need for BlackBerry Administration API means that Mobile Admin won't work with the new BlackBerry Server Express, which does not support the API.

More troubling, however, is the requirement spelled out in the Mobile Admin documentation that specifies UAC (User Account Control) must be disabled on managed servers running Windows Server 2008 or above. During my tests, I found that when trying to control a UAC-enabled Windows 2008 Server via Mobile Admin, I could essentially only see the Active Directory and RDP services. Disabling UAC on the server opened up access to the rest of the core Windows management functions.

Rove representatives explained that their Windows management capabilities are performed using WMI (Windows Management Instrumentation), requiring access to the default Administrative share on the managed server to help communicate the results of these WMI operations back to Mobile Admin server. UAC by default denies remote access to this share in some cases.

In spite of what was written in the documentation, Rove's Server Development manager, Rob McAteer, iterated, "We do not wish for our customers to turn UAC off...  If the Rove Mobile Admin user managing the remote 2008 server has administrative rights on the remote 2008 server, then there is no issue utilizing the Administrative Share."

However, I discovered this only to be the case when the Mobile Admin server and the managed host are members of the Windows domain. In my case, trying to access a managed server not in the domain, I found that even though the credentials I entered to manage the Windows Server 2008 instance were part of the Administrators group, UAC blocked management via Mobile Admin. However, if I entered the credentials for the Administrator account, it worked.

While disabling UAC certainly resolved these problems, I would not recommend that solution for production machines. Another workaround I discovered is to add a registry key, which also allows remote sessions to access the Administrative share. While this workaround still lessens overall system security, it is more targeted a solution than simply disabling UAC entirely.  

McAteer concurred that this solution works in this scenario and acknowledged that Rove is removing the demand to disable UAC from future documentation. 



 
 
 
 
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel