Configure UAC settings via policy

 After we understand how UAC works and realize the importance of enabling UAC to prevent potential problems that may arise during your Windows Vista deployment in
your environment, we can move on to discussing how to configure UAC to optimize 
security and ease of use. The consent UI behavior as well as some other UAC 
features can be changed by group policy for administrators. 
 This section details the main method for configuring UAC by Administering 
UAC with the local Security Policy Editor and Group Policy. 
For administrators in a domain environment, they can configure UAC 
settings in domain security policy.

1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.

2. From the Local Security Settings console tree, click Local Policies, and then Security Options.

3. Scroll down and double-click corresponding UAC policy settings to configure

4. Close the Local Security Settings window.

There are in total eight Group Policy Object (GPO) settings that can be configured for UAC. The following list includes the policy settings:

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

User Account Control: Behavior of the elevation prompt for standard users

User Account Control: Detect application installations and prompt for elevation

User Account Control: Only elevate executables that are signed and validated

User Account Control: Run all administrators in Admin Approval Mode

User Account Control: Switch to the secure desktop when prompting for elevation

User Account Control: Virtualize file and registry write failures to per-user locations

User Account Control: Admin Approval Mode for the Built-in Administrator account

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Hereby we outline three common tasks that administrators perform during the set up and configuration of client computers running Windows Vista. The following policies brief the tasks of disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.

1. Disable Admin Approval Mode

Policy Item: User Account Control: Run all administrators in Admin Approval Mode.

Default Value: EnabledDescription: There are two possible values:

• Enabled - Both administrators and standard users will be prompted when attempting to perform administrative operations. The prompt style is dependent on policy.

• Disabled - UAC is essentially "turned off" and the AIS service is disabled from automatically starting. The Windows Security Center will also notify the logged on user that the overall security of the operating system has been reduced and will give the user the ability to self- enable UAC.

Note: Changing this setting will require a system reboot.

2. Disable User Account Control from prompting for credentials to install applications

Policy Item: User Account Control: Detect application installations and prompt for elevation.

Default Value: Home: Enabled. Enterprise: Disabled
Description: There are two possible values:

• Disabled - Application installations will silently fail or fail in a non-deterministic manner. Enterprises running standard users desktops that leverage delegated installation technologies like GPSI or SMS will disable this feature. In this case, installer detection is unnecessary and therefore not required.

3. Change the elevation prompt behavior

Policy Item: User Account Control: Behavior of the elevation prompt for administrators.

Default Value: Prompt for consent
Description: There are three possible values:

• Prompt for credentials – An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

Policy Item: User Account Control: Behavior of the elevation prompt for standard users

Default Value: Home: Prompt for credentials. Enterprise: No prompt
Description: There are two possible values:

• No prompt – No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account. Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.

• Prompt for credentials – An operation that requires a full administrator access token will prompt the user to enter an administrative user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.

For more information on how to configure UAC via policy, view the following links:

How to use User Account Control (UAC) in Windows Vista

https://support.microsoft.com/?id=922708

https://technet.microsoft.com/en-us/windowsvista/aa905117.aspx

Comments

  • Anonymous
    January 01, 2003
    Pensar que cada vez que desactivais UAC en un equipo, un gatito muere en algun lugar del mundo. http://blogs.technet.com/asiasupp/archive/2007/02/08/configure-uac-settings-via-policy.asp

  • Anonymous
    January 01, 2003
    Someone referenced this post to answer question "The purpose, use and configuraiton of UAC in Windows 7.?"...

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    July 29, 2008
    How can we enforce UAC using Group Policy?  I enabled these options through Group Policy, however, the user can still go into the control panel and turn off UAC.  The only other non-GP method I know of is to use a batch file to do the following: C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f Any way to enforce this using Group Policy without using scripts?