Managing User Account Control Settings
Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 contain a security feature called User Account Control (UAC). UAC was created primarily to reduce or prevent unauthorized changes to the operating system configuration or file system. UAC interacts with both nonadministrators and administrators in their desktop environment and runs almost all applications in Standard User mode. When an administrator, regular user, or application attempts to perform an action that can result in a system configuration change or require access to sensitive areas of the operating system or file system, UAC interrupts the change and prompts for authorization or credentials to validate the change or requested access or elevation desired by the end user.
UAC settings are pretty flexible in allowing applications to run as desired but can require some tuning on the part of the desktop administrator. Many independent software vendors have been able to produce applications that can interact with UAC but in some cases where functionality or usability of a PC is impacted by UAC, some administrators or organizations may decide to disable UAC completely or just certain UAC settings to optimize the user experience. For situations when UAC is causing undesired issues with applications, if adjusting file security, user rights assignments, or running applications in legacy XP mode do not work, it might be necessary to adjust or disable User Account Control settings. The likely candidates are applications that formerly required the end user to be a member of the local Power Users or Administrators group. UAC settings should not adversely affect the functionality and operation of standard users. On the contrary, UAC actually allows standard users to be prompted for credentials to allow elevation of rights to install software or components that would have failed with previous operating systems with an Access Denied message. If, for some reason, the end user requires local administrator rights to run a legacy application and all other options have failed, then changing UAC security settings in a local computer policy or domain group policy object is required. When UAC security setting changes are required, perform the following steps:
- Log on to a designated Windows Server 2008 R2 administrative server.
- Open the Group Policy Management Console from the Administrative Tools menu.
- Add the necessary domains to the GPMC as required.
- Expand the Domains node to reveal the Group Policy Objects container.
- Either create a new GPO or edit an existing GPO.
- After the GPO is opened for editing in the Group Policy Management Editor, expand the Computer Configuration node, expand the Policies node, select the Windows Settings node, and expand it.
- Expand the Security Settings node, expand Local Policies, and select Security Options.
- In the Settings pane, scroll to the bottom of the pane to locate the UAC settings. The
following list displays the default UAC settings in the Local Computer Policy for Windows Server 2008 R2:
- Admin Approval Mode for the Built: In Administrator Account-Disabled
- Allow UIAccess Applications to Prompt for Elevation Without Using the Secure Desktop: Disabled
- Behavior of the Elevation Prompt for Administrators in Admin Approval Mode-Prompt for consent for non: Windows binaries
- Behavior of the Elevation Prompt for Standard Users: Prompt for credentials
- Detect Application Installations and Prompt for Elevation: Enabled
- Only Elevate Executables That Are Signed and Validated: Disabled
- Only Elevate UIAccess Applications That Are Installed in Secure Locations: Enabled
- Run All Administrators in Admin Approval Mode: Enabled
- Switch to the Secure Desktop When Prompting for Elevation: Enabled
- Virtualize File and Registry Write Failures to Per-User Locations: Enabled
- To disable all UAC functionality using domain policies, create and link a new GPO for UAC and edit the setting named Run All Administrators in Admin Approval Mode, and configure the setting value to Disabled. If this setting is configured as Disabled, all other UAC settings are ignored. Also, this setting change will be applied during startup, shutdown, and background refresh, but a reboot will be required to complete the setting change.
- To disable UAC prompts when logged on with an account with Local Administrator rights and leave all other settings functional, using domain policies, create and link a new GPO for UAC and edit the setting named Behavior of the Elevation Prompt for Administrators in Admin Approval Mode, and configure the setting value to Elevate Without Prompting. Click OK to save the setting and close the Group Policy Management Editor window.
- After the GPO is configured as desired, save the GPO and link it to an organizational unit that has a test Windows Vista, Windows 7,Windows Server 2008, or Windows Server 2008 R2 system to verify that the desired functionality has been achieved.
- After the testing is completed, configure security filtering and possibly also WMI filtering to limit the application scope of this policy and link it to the desired organizational unit(s).
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations