; ADM Template Creation/Modifying Date: 30.10.2008 15:48:18 ; ADM Template Author: norbert ; ADM Template created by gpaddit (http://www.gpaddit.com) - M.Heitbrink & E.Grandel GbR Class Machine CATEGORY "Vista UAC" POLICY "Enable Linked Connections" #IF VERSION >= 4 SUPPORTED !!Supported_Vista #ENDIF EXPLAIN !!Hlp_EnableLinkedConnections KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" PART "Activate linked connections" Checkbox VALUENAME "EnableLinkedConnections" DEFCHECKED VALUEON "1" VALUEOFF DELETE END PART END POLICY ;Enable Linked Sessions END CATEGORY ;Vista UAC [STRINGS] Hlp_EnableLinkedconnections="With activated User Account Control in Windows Vista network drives are not mapped with logonscripts, which are assigned via Group Policy.\n\n\nEnable this policy if this problem exists.\n\nCAUSE\nThis problem occurs because User Account Control treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token. \n\nWhen a member of the Administrators group logs on to a Windows Vista-based computer that has User Account Control enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and if you want to perform a task that requires a full administrator access token, User Account Control prompts you for approval. For example, you are prompted if you try to edit security policies on the computer. If you click Allow in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token. \n\nWhen an administrator logs on to Windows Vista, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user clicks Allow in a User Account Control dialog box. \n\nIf a user is logged on to Windows Vista and if User Account Control is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs. \n\nWhen network shares are mapped, they are linked to the current logon session for the current process access token. This means that, if a user uses the command prompt (Cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.\n\nhttp://support.microsoft.com/kb/937624/en-us" Supported_Vista="at least Windows Vista"