Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
One of the new features of Windows Vista that has caused a little bit of confusion is User Account Control (aka UAC). Ever since the days of Windows NT 3.1, user rights have been a bit of an all or nothing proposition. Users were divided into Standard Users, or Administrators. The Power Users group, which sought to bridge the gap between the two groups was infrequently used because there were too many limitations even for that group (such as the inability to install local printer drivers) All too often, users were granted local administrative rights because many applications require that level of privilege to run properly. Even changing the time zone was impossible without administrative privileges!
The end result for many IT departments was an inconsistent user environment, where the security settings often varied wildly from machine to machine. The additional administrative overhead was reflected in more instances of reported malware, an increase in helpdesk calls, the necessity to reconfigure (or even worse, re-image) user machines, restore data on a more frequent basis and so on.
The first step in implementing UAC was to revamp how User Accounts worked in Windows Vista. When looking at a basic clean install of Windows Vista, there are four basic users / groups to consider:
OK - looking at the list above, it's very easy to get confused about what's going on with User Accounts. By default, all users (except the Built-In administrator) run as Standard users on Windows Vista. Only the Built-In Administrator runs with unrestricted access. By the way - in Windows Vista, the built-in Administrator account is disabled by default! By disabling the Built-In Administrator account, one of the most common attack vectors against poorly configured systems is mitigated. Something to note at this point is that with the Built-In Administrator account disabled, you cannot use that account to log into safe mode. Also, if the Built-In administrator is the only active local administrator account detected on the system during an upgrade from Windows XP to Windows Vista, this account remains enabled. However, the account will be put into Admin Approval mode, which means that it is subject to UAC restrictions.
Therefore,Windows Vista requires you to create an Administrative account during the setup process. When you log on to Windows Vista with this account, two versions of the account's access token are created. The first one, is the administrative level token that has the full rights and privileges. The second token is a standard user token that has no administrative rights.
So what happens when a user with Administrative rights wants to perform an Administrative task on the system? In previous versions of Windows, Standard users would have either had to log off or invoke RunAs to pass administrative credentials. However, with UAC, Administrative users are prompted to provide confirmation when they attempt to perform administrative tasks. This is known as the Elevation Prompt. The image below shows the basic Consent Prompt. However, based on the way that the Local Security Policy / Group Policy is configured, Administrative users can also be prompted to re-enter their credentials. Several customers that I have worked with have implemented this policy as a means to guard against apathy and automatically clicking through the Consent prompt without verifying the actions.
To quickly wrap up this introduction to UAC, here's a quick summary of the way that the UAC prompting behavior can be configured. The settings can be configured either locally or via GPO:
The following table describes the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode and the User Account Control: Behavior of the elevation prompt for standard users settings.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
There are three possible values:
Prompt for consent
There are two possible values:
OK - that's all for this post. I know that there's a lot of information to digest here, but once you get a good handle on UAC and how it impacts Windows Vista you've made a giant leap forward in really understanding the Operating System!
- CC Hameed
Can u tell me how can I do that(changing UAC) programmatically using win32 APIs?
thanks & regards
I am having great difficulty understanding your shortened initials for a program.
In addition, I came on this specific thread with a problem that appears to be pertinent here.
My welcome screen shows two user accounts--"Administrator" and "Home". I am the current administrator on this laptop, only one user. I did an update to Windows Vista Home Basic (32), and this was the result.
Now, I cannot install some programs that I've downloaded--the advice given is that I do not enjoy administrator privileges. I am not about to reboot/restart my computer each time I am having this difficulty.
How do I remove the administrator account from my welcome screen, while still retaining administrator privileges??
This is so frustrating...