Logo
HOW TO
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2012 : Software and User Account Control Administration (part 3) - Mastering User Account Control - Configuring UAC and Admin Approval Mode

1/28/2015 8:32:58 PM

Configuring UAC and Admin Approval Mode

In Group Policy under Local Policies\Security Options, five security settings determine how Admin Approval Mode and elevation prompting works. Table 1 summarizes these security settings. Remember, Group Policy gives you the flexibility to configure UAC as needed for specific environments. For example, if servers at a remote office are in a separate GPO from workstations at that office, you could configure UAC for servers one way and UAC for workstations another way.

Table 1. Security settings related to Admin Approval Mode

Security Setting

Description

User Account Control: Admin Approval Mode For The Built-in Administrator Account

Determines whether users and processes running as the built-in local administrator account are subject to Admin Approval Mode. By default, this feature is disabled, which means the built-in local administrator account is not subject to Admin Approval Mode or to the elevation-prompt behavior stipulated for other administrators in Admin Approval Mode. If you enable this setting, users and processes running as the built-in local administrator will be subject to Admin Approval and also subject to the elevation-prompt behavior stipulated for other administrators in Admin Approval Mode.

User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode

Determines whether administrators subject to Admin Approval Mode see an elevation prompt when running administrator applications, and also determines how the elevation prompt works. By default, administrators are prompted for consent when running administrator applications. You can configure this option so that administrators are prompted for credentials, as is the case with standard users. You can also configure this option so that administrators are not prompted at all—in which case, the administrator will not be able to elevate privileges. This doesn’t prevent administrators from pressing and holding or right-clicking an application shortcut and selecting Run As Administrator.

User Account Control: Behavior Of The Elevation Prompt For Standard Users

Determines whether users logged on with a standard user account see an elevation prompt when running administrator applications. By default, users logged on with a standard user account are prompted for the credentials of an administrator when running administrator applications. You can also configure this option so that users are not prompted—in which case, the users will not be able to elevate privileges by supplying administrator credentials. This doesn’t prevent users from pressing and holding or right-clicking an application shortcut and selecting Run As Administrator.

User Account Control: Run All Administrators In Admin Approval Mode

Determines whether users logged on with an administrator account are subject to Admin Approval Mode. By default, this feature is enabled, which means administrators are subject to Admin Approval Mode and further subject to the elevation-prompt behavior stipulated for administrators in Admin Approval Mode. If you disable this setting, users logged on with an administrator account are not subject to Admin Approval and therefore are not subject to the elevation-prompt behavior stipulated for administrators in Admin Approval Mode.

User Account Control: Switch To The Secure Desktop When Prompting For Elevation

Determines whether Windows Server switches to the secure desktop before prompting for elevation. As the name implies, the secure desktop restricts the programs and processes that have access to the desktop environment. In this way, it reduces the possibility that a malicious program or user could gain access to the process being elevated. By default, this security option is enabled. If you don’t want Windows Server to switch to the secure desktop prior to prompting for elevation, you can disable this setting. However, if you do this, you’ll make the computer more susceptible to malware and attack.

In a domain environment, you can use Microsoft Active Directory–based Group Policy to apply the desired security configuration to a particular set of computers. Simply configure the desired settings to a Group Policy Object (GPO) that applies to those computers.

For workgroup configurations or for a special case, you can configure these security settings on a per-computer basis using local security policy. To access local security policy and configure UAC settings, follow these steps:

  1. Select Local Security Policy on the Tools menu in Server Manager. This starts the Local Security Policy console.

  2. In the console tree, under Security Settings, expand Local Policies and then select Security Options, as shown in Figure 3.

    Configure UAC options through local security policy.
    Figure 3. Configure UAC options through local security policy.

  3. Double-tap or double-click User Account Control: Admin Approval Mode For The Built-in Administrator Account. This opens the related properties dialog box shown in Figure 4. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.

    Configure Admin Approval Mode for the built-in Administrator account.
    Figure 4. Configure Admin Approval Mode for the built-in Administrator account.

  4. Double-tap or double-click User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode. The available options are used as follows:

    • Elevate Without Prompting Enters Admin Approval Mode, and elevates to the user’s highest available privileges without prompting for consent or credentials.

    • Prompt For Credentials On The Secure Desktop Switches to the secure desktop, and then prompts for credentials before elevating to the user’s highest available privileges.

    • Prompt For Consent On The Secure Desktop Switches to the secure desktop, and then prompts for consent before elevating to the user’s highest available privileges.

    • Prompt For Credentials Prompts for credentials before elevating to the user’s highest available privileges, but doesn’t switch to the secure desktop.

    • Prompt For Consent Prompts for consent before elevating to the user’s highest available privileges, but doesn’t switch to the secure desktop.

    • Prompt For Consent For Non-Windows Binaries When running non-Windows applications that require elevation, prompts for consent on the secure desktop before elevating to the user’s highest available privileges. This is the default.

  5. Double-tap or double-click User Account Control: Behavior Of The Elevation Prompt For Standard Users. The available options are Automatically Deny Elevation Requests, Prompt For Credentials On The Secure Desktop, and Prompt For Credentials.

    Important

    If you deny elevation requests, elevation prompts will not be presented to users. This includes Remote Assistance users who might be trying to assist a user remotely.

  6. Double-tap or double-click User Account Control: Run All Administrators In Admin Approval Mode. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.

  7. Double-tap or double-click User Account Control: Switch To The Secure Desktop When Prompting For Elevation. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.
Other -----------------
- Microsoft Sharepoint 2013 : Understanding app patterns (part 5) - Building MVC apps - Introducing MVC4
- Microsoft Sharepoint 2013 : Understanding app patterns (part 4) - Building MVC apps - Understanding web form challenges
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 2) - Building MVVM apps - Introducing knockout
- Microsoft Sharepoint 2013 : Understanding app patterns (part 1) - Building MVVM apps - Understanding JavaScript challenges
- Microsoft Sharepoint 2013 : Working with documents - Checking documents in and out
- Microsoft Sharepoint 2013 : Working with documents - Requiring and displaying document check out
- Microsoft Sharepoint 2013 : Working with documents - Uploading multiple documents
- Microsoft Sharepoint 2013 : Working with documents - Customizing document templates
 
 
REVIEW
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox
 
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
 
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
Top 10
- Microsoft Excel : How to Use the VLookUp Function
- Fix and Tweak Graphics and Video (part 3) : How to Fix : My Screen Is Sluggish - Adjust Hardware Acceleration
- Fix and Tweak Graphics and Video (part 2) : How to Fix : Text on My Screen Is Too Small
- Fix and Tweak Graphics and Video (part 1) : How to Fix : Adjust the Resolution
- Windows Phone 8 Apps : Camera (part 4) - Adjusting Video Settings, Using the Video Light
- Windows Phone 8 Apps : Camera (part 3) - Using the Front Camera, Activating Video Mode
- Windows Phone 8 Apps : Camera (part 2) - Controlling the Camera’s Flash, Changing the Camera’s Behavior with Lenses
- Windows Phone 8 Apps : Camera (part 1) - Adjusting Photo Settings
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro