What is the function of Admin approval mode (AAM) and UAC? Is there a link between UAC and AAM? Are they interrelated? When we turn OFF the AAM, UAC also gets OFF Automatically. Is this an intended behavior?

It's actually written in the explain tab of the policies. But in short, yes it's by design that UAC will get turned off if you disable Admin Approval Mode. =========== User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. ============ User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. ============ User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. Kind regards, Stephan Schwarz If you one of these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be so kind to click on the "Vote as helpful" button :)

This is from the Technet site (http://technet.microsoft.com/en-us/library/cc772207%28WS.10%29.aspx) As for the second part, turning off AAM, I'm not sure. What does User Account Control do? UAC allows an administrator to enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, log off, or use the Run as command. UAC also can also require administrators to specifically approve applications that will make "system-wide" changes before those applications are allowed to run, even in the administrator's user session. Who will be interested in this feature? Understanding the operation of UAC is important for the following groups: Administrators IT security professionals Developers creating applications for Windows Server 2008 or Windows Vista Are there any special considerations? At first, users might encounter a larger number of UAC prompts because there are a lot of system-wide changes to make when first configuring the operating system. Over time, however, those kinds of changes become much less frequent. While UAC appears in both Windows Server 2008 and Windows Vista, the default configurations differ in the following ways: The Admin Approval Mode (AAM), by default, is not enabled for the Built-in Administrator Account in either Windows Server 2008 or Windows Vista. The Built-in Administrator account is disabled by default in Windows Vista, and the first user account created is placed in the local Administrators group, and AAM is enabled for that account. The Built-in Administrator account is enabled by default in Windows Server 2008. AAM is disabled for this account. What new functionality does this feature provide? UAC includes several features and security improvements. Admin Approval Mode Admin Approval Mode (AAM) is a UAC configuration in which a split user access token is created for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. Without AAM, an administrator account receives only one access token, which grants that administrator access to all Windows resources. Why is this functionality important? AAM helps prevent malicious programs from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process. What works differently? The primary difference between a standard user (a non-administrator) and an administrator in Windows Server 2008 is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software programs for the entire computer. Standard users cannot perform these tasks. When AAM is enabled, an administrator receives both a full access token and a second access token, called the filtered access token. During the logon process, authorization and access control components that identify an administrator are removed or disabled, to create the filtered access token. The filtered access token is then used to start Explorer.exe, the process that creates and owns the user's desktop. Because applications normally inherit their access token from the process that starts them, which in this case is Explorer.exe, they all run with the filtered access token as well Don't believe everything you read.