The User Account Control (UAC) feature of Windows Vista has taken more than its fair share of ridicule since its introduction. The UAC prompt can pop up quite frequently, but it serves a purpose and it is possible to configure or alter its behavior without completely disabling it.

By default, all Administrators run in Admin Approval Mode. This means that even Administrator accounts operate with lower privileges most of the time, and they will see the UAC prompt if or when actual Administrator privileges are necessary.

There are settings within Group Policy that allow you to modify the behavior of UAC. The five settings are described briefly below.

• User Account Control: Behavior of the Elevation Prompt for Standard Users: This setting can be used to eliminate the UAC elevated privileges prompt for Standard users. Users will still not be able to execute applications that require elevated privileges, but the programs will simply not work rather than prompting for privilege escalation.
• User Account Control: Switch to the Secure Desktop When Prompting for Elevation: By default, Vista switches to the Secure Desktop when elevating privileges. The Secure Desktop further limits the programs and processes that can access the desktop environment and provide added protection against malicious software. This setting can be disabled, but will result in a less secure environment during privilege escalation.
• User Account Control: Run All Administrators in Admin Approval Mode: This setting is enabled by default to protect the system even from Administrators inadvertently executing inappropriate or malicious software. However, it is possible to turn off UAC for Administrator accounts and allow Administrators to have the same sort of carte blanche access they have been used to in previous versions of Windows.
• User Account Control: Behavior of the Elevation Prompt for Administrator in Admin Approval Mode: This setting allows you to determine how the UAC prompt behaves for Administrator accounts. By default, Administrators will be prompted, but can just click OK. The behavior can be changed so that Administrators must actually enter their credentials to gain elevated privileges, or it can be changed so that the prompt does not appear. Like the Standard users though, if the prompt is disabled, the Administrator will not be able to execute programs requiring elevated privileges.
• User Account Control: Admin Approval Mode for the Built-in Administrator Account: Using this setting, you can disable Admin Approval Mode for just the built-in Administrator account, but leave it enabled for other Administrator accounts. With this feature on, the built-in Administrator account is subject to the same prompts and Admin Approval restrictions as other Administrator accounts. However, if you have processes running under the built-in Administrator account, you may wish to disable this setting.

Of course, it is possible to disable UAC altogether, and forfeit the increased protection and security it provides. I highly recommend that you not do that though. Instead, learn to work with UAC and, if necessary, use these Group Policy settings to customize its behavior to fit your needs.

Enter your email address to get Hack Report news via email:

No Comments

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a comment

You must be logged in to post a comment.