After we understand how UAC works and realize the importance of enabling UAC to prevent potential problems that may arise during your Windows Vista deployment inyour environment, we can move on to discussing how to configure UAC to optimize security and ease of use. The consent UI behavior as well as some other UAC features can be changed by group policy for administrators.
This section details the main method for configuring UAC by Administering UAC with the local Security Policy Editor and Group Policy. For administrators in a domain environment, they can configure UAC settings in domain security policy.
1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
3. Scroll down and double-click corresponding UAC policy settings to configure
4. Close the Local Security Settings window.
There are in total eight Group Policy Object (GPO) settings that can be configured for UAC. The following list includes the policy settings:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Hereby we outline three common tasks that administrators perform during the set up and configuration of client computers running Windows Vista. The following policies brief the tasks of disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.
For more information on how to configure UAC via policy, view the following links:
How to use User Account Control (UAC) in Windows Vista
Pensar que cada vez que desactivais UAC en un equipo, un gatito muere en algun lugar del mundo. http://blogs.technet.com/asiasupp/archive/2007/02/08/configure-uac-settings-via-policy.asp
How can we enforce UAC using Group Policy? I enabled these options through Group Policy, however, the user can still go into the control panel and turn off UAC. The only other non-GP method I know of is to use a batch file to do the following:
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
Any way to enforce this using Group Policy without using scripts?
Someone referenced this post to answer question "The purpose, use and configuraiton of UAC in Windows 7.?"...
@Aakash - yes, Group Policy Preferences in a GPO, from drill to Windows Settings-->Registry and r-click in the right hand pane to create a new item. Action 'Update' then keep Hive as HKLM (default) then drill the Key Path down to the EnableLUA and select
it. Make sure the value data is what you want to push (it will be if set correctly on the box you're using) then hit Apply. After the update hits, your servers will need a reboot for the change to take effect.