Configure UAC settings via policy
After we understand how UAC works and realize the importance of enabling UAC to prevent potential problems that may arise during your Windows Vista deployment in
your environment, we can move on to discussing how to configure UAC to optimize
security and ease of use. The consent UI behavior as well as some other UAC
features can be changed by group policy for administrators.
This section details the main method for configuring UAC by Administering
UAC with the local Security Policy Editor and Group Policy.
For administrators in a domain environment, they can configure UAC
settings in domain security policy.
1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
3. Scroll down and double-click corresponding UAC policy settings to configure
4. Close the Local Security Settings window.
There are in total eight Group Policy Object (GPO) settings that can be configured for UAC. The following list includes the policy settings:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Hereby we outline three common tasks that administrators perform during the set up and configuration of client computers running Windows Vista. The following policies brief the tasks of disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.
1. Disable Admin Approval Mode
Policy Item: User Account Control: Run all administrators in Admin Approval Mode.
Default Value: EnabledDescription: There are two possible values:
• Enabled - Both administrators and standard users will be prompted when attempting to perform administrative operations. The prompt style is dependent on policy.
• Disabled - UAC is essentially "turned off" and the AIS service is disabled from automatically starting. The Windows Security Center will also notify the logged on user that the overall security of the operating system has been reduced and will give the user the ability to self- enable UAC.
Note: Changing this setting will require a system reboot.
2. Disable User Account Control from prompting for credentials to install applications
Policy Item: User Account Control: Detect application installations and prompt for elevation.
Default Value: Home: Enabled. Enterprise: Disabled
Description: There are two possible values:
• Enabled - The user is prompted for consent or credentials when Windows Vista detects an installer.
• Disabled - Application installations will silently fail or fail in a non-deterministic manner. Enterprises running standard users desktops that leverage delegated installation technologies like GPSI or SMS will disable this feature. In this case, installer detection is unnecessary and therefore not required.
3. Change the elevation prompt behavior
Policy Item: User Account Control: Behavior of the elevation prompt for administrators.
Default Value: Prompt for consent
Description: There are three possible values:
• No prompt – The elevation occurs automatically and silently. This option allows an administrator in Admin Approval Mode to perform an operation that requires elevation without consent or credentials. Note: this scenario should only be used in the most constrained environments and is NOT recommended.
• Prompt for consent – An operation that requires a full administrator access token will prompt the administrator in Admin Approval Mode to select either Continue or Cancel. If the administrator clicks Continue, the operation will continue with their highest available privilege.
• Prompt for credentials – An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.
Policy Item: User Account Control: Behavior of the elevation prompt for standard users
Default Value: Home: Prompt for credentials. Enterprise: No prompt
Description: There are two possible values:
• No prompt – No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account. Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.
• Prompt for credentials – An operation that requires a full administrator access token will prompt the user to enter an administrative user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.
For more information on how to configure UAC via policy, view the following links:
How to use User Account Control (UAC) in Windows Vista
https://support.microsoft.com/?id=922708
https://technet.microsoft.com/en-us/windowsvista/aa905117.aspx
Comments
Anonymous
January 01, 2003
Pensar que cada vez que desactivais UAC en un equipo, un gatito muere en algun lugar del mundo. http://blogs.technet.com/asiasupp/archive/2007/02/08/configure-uac-settings-via-policy.aspAnonymous
January 01, 2003
Someone referenced this post to answer question "The purpose, use and configuraiton of UAC in Windows 7.?"...Anonymous
January 01, 2003
The comment has been removedAnonymous
July 29, 2008
How can we enforce UAC using Group Policy? I enabled these options through Group Policy, however, the user can still go into the control panel and turn off UAC. The only other non-GP method I know of is to use a batch file to do the following: C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f Any way to enforce this using Group Policy without using scripts?