Disable UAC (User Account Control) on Vista and Server 2008By Dave Lawlor
If you have been using Windows Vista or Server 2008 I am positive you have already seen the User Account Control in action.
The UAC was created to help control unauthorized changes to your computer. It does that by either asking you for permission for certain actions or prompting for elevated credentials.
By having to verify these actions before they execute it should keep machines safe from malware and spyware that would in the past install silently.
UAC has actually become one of the biggest complaints about Vista being "unfriendly" to the average user. Too bad the average user was also the one complaining about how their Windows systems were getting hijacked without their knowledge when they downloaded any number of "free" things off the net.
Security always comes at a price and for UAC that price is a slightly annoying prompt.
Some of the downsides of course are that so many things are prompted for that users might become "prompt" blind and just click Ok without reading what was actually triggering the User Account Control. This, of course, would be that same average user who will also be calling you about the 200 pop up ads on their screen every time they open Internet Explorer.
Now you could disable UAC and let the users out on their own, but I don’t believe this is really a good option for a lot of reasons. Before you go the disable route, let’s go in and take a closer look at your ability to modify the way UAC works through Local or Group policy.
Managing User Account Control
I am going to use the Local Security Policy to modify the UAC settings as more than likely you will only want to do this on specific machines. But if you want to do this on a mass scale you can also use Group Policies to push them out to all the machines.
1. Start the Local Security Policy MMC by clicking on Start, Administrative Tools, then Local Security Policy
2. Next expand Local Policies, click on Security Options and scroll to the bottom of the main pane and you will find all the User Account Control settings you can manage.
Let’s go through these one at a time and take a look at the different settings and how you might use them.
Admin Approval Mode for the Built-in Administrator account:
This option only has two settings either Enabled or Disabled (Default). When Enabled the built-in Administrator account will logon in Admin Approval mode and any operation that needs elevation will cause a Permit or Deny prompt. When Disabled the built-in Administrator will use XP compatibility mode and no prompts will be used when an application needs elevated credentials.
Allow UIAccess applications to prompt for elevation without using the secure desktop:
This setting will mostly be used for remote assistance scenarios. When this is Disabled (default) and you are helping someone remotely and a UAC prompt is triggered it is sent to what is called a "secure" desktop. Remote users are paused during this and will not see the UAC prompt until the local user takes action on this. If you Enable this setting the prompt will be sent to the interactive desktop and the remote user will see it and be able to take action.
Behavior of the elevation prompt for administrators in Admin Approval Mode:
This setting will select what kind of prompt will be shown for Administrators when working with UAC. There are three options for this setting: Prompt for consent (Default), Prompt for credentials, or Elevate without prompting. Prompt for consent will send up a Permit or Deny pop up that the user can choose, while the Prompt for credentials will ask for user name and password to proceed. I do not recommend using the Elevate without prompting as it will just process the command no matter what elevation is needed.
Behavior of the elevation prompt for standard users:
This setting controls the UAC prompt for standard users and you have two choices: Prompt for credentials (Default for home) and Automatically deny elevation requests (Default for Enterprise). Be careful if this is set for Automatically deny elevation requests because when offering remote assistance to the user you lose the ability to easily elevate processes with your credentials.
Detect application installations and prompt for elevation:
This has two settings either Enabled (Default for home) or Disabled (Default for Enterprise). This setting will detect when a program is being installed and trigger an elevation prompt when enabled. If you are in an environment where your application installations are controlled through Group Policy or another mechanism you would want to keep this disabled.
Only elevate executables that are signed and validated:
This setting will check to see if the executable has a signed PKI certificate in the Trusted Publisher Store before elevating, if it does not it will not run. By default this setting is Disabled.
Only Elevate UIAccess applications that are installed in secure locations:
This setting is Enabled by default and will make sure that any application that is run that request execution with a UIAccess integrity level must reside in a secure location on the file system. These locations are:
..\Program Files (x86)\%subdirectories% (64-bit systems)
If the application is not launched from one of those locations it will not run unless this setting is disabled.
Run all administrators in Admin Approval Mode:
Enabled by default this is the setting I can maybe see disabling if you are an Administrator and tire of being prompted for everything. By disabling it you would no longer be treated as a standard user by UAC. Just remember that being and Administrator does not make you impervious to malware and disabling this will cause the system to be less secure. You will also see a warning in the Security Center if this is disabled noting that overall security is lowered.
Switch to the secure desktop when prompting for elevation:
Ever see the screen go all grey/black when you get a UAC prompt and you can’t do anything else until you answer? You have just witnessed the secure desktop in action. This setting by default is set to Enable, but if for some reason you are having issues because of it then you can disable it.
Virtualizes file and registry write failures to per-user locations:
Some legacy applications would directly interact with certain parts of the file system and registry. In Vista/Server 2008 this access is restricted so these applications can fail. This setting will enable a compatibility redirection for these applications so they can still run. It will not work for every application, but can help. The default for this setting is enabled.
You have now seen all the configurations available for UAC in Vista and Server 2008. Notice they can be divided into two groups: Things that will trigger UAC or how it acts, and How the prompt is presented to the user.
I strongly feel that between all these options you can configure them in a way that will keep your users protected and minimize the inconvenience to them without disabling it.
How to Disable UAC
That being said, I am still going to show you a quick and easy way to disable UAC on both Windows Vista and Server 2008. This is not the only way to do it, there are a few others, but this will get the job done and you can also enable UAC in the same location.
1. Click on Start, in the search line type MSCONFIG and hit enter.
2. Click on the Tools tab, scroll down until you see Disable UAC, and then click Launch.
3. After a second a command window will pop up saying "The operation completed successfully." Close the window and reboot your machine.
If you want to re-enable it just do the same but choose Enable UAC in step 2.
When I first started using Vista I was pretty annoyed at the UAC prompts but over a year later, I am so used to them, that I just quickly glance at what initiated it and move on.
If you must modify the default behavior hopefully this article will help you formulate a compromise that will still keep your systems secure.
About the Author
Dave Lawlor (MCTS, MCP, A+) has been working in the IT field since leaving the U.S. Army in 1996. Working his way up from printer hardware repair to running a corporate datacenter for a multinational corporation, Dave has seen many environments throughout the years. Focusing on web sites and search engine optimization the last few years, with the release of Server 2008 it has renewed his passion for the Wintel platform and server technologies. David also runs Windows-Server-Training.com where he posts free videos and walk-throughs for a variety of server technologies. David currently works as a freelance technical consultant and writer for a variety of companies in the Chicago area.
Author's Website: http://www.DaveLawlor.com
- Mailbox Enabling a New User Account in Exchange Server 2003
- How to Create Users and User Templates in Windows Server 2008 Active Directory
- Server 2008: How to Setup a Remote Desktop on Windows Vista
- Server 2008 Active Directory User Groups — the Easy Way!
- Windows Server 2008: Auditing Active Directory
- How to Setup User Authentication in FTP 7 on IIS 7.0
- Installing RSAT: Remote Server Administration Tools for Windows Vista
- Vista's False Sense of Security?
- Securing FTP 7.0 with SSL and User Isolation
- Install BIND DNS on Windows Web Server 2008 – Part 1