I've looked high and low and I can't seem to find the answer to this one. Is there a way, via Group Policy (or some other method) to enforce a computer to use UAC? Everything I see states that if a user has admin rights, they can shut it off. Thanks for any info! -Steve

Hi You have brought up an interesting discussion.You are saying that there should be a way so that you can restrict modifications in the UAC behaviour to one user of the Local Administrators Group, denying access to other user in the admin group.To my knowledge that is impossible. This is because of the logon process in Windows Vista. When a member of the Local Administrators Group login they are assigned 2 tokens, a limited token and an admin token. The admin one is on "stand-by" and will be activated by the AIS service when the user tries to acomplish something that needs admin powers (including modifing UAC behaviour settings). The limited user account will be prompted for the credentials of an admin and will also have access to disabling UAC, if he has provided proper credentials.The logic behind this would be that if you do have the admin credentials, you are granted access to the system as the administrator. I do, however, see the use of implementing a restiction for limited user accounts to disable or modify UAC behaviour settings even if they provide admin credentials.

I would actually like to restrict access from all users on the PC (local admins included) from modifying the UAC behaviour. I understand how the 2-token login processing works, and this makes sense. Yet take for example the following: There exists a Group Policy, which when applied via an Active Directory Domain, which can Disable the Windows Firewall. [See Computer Configuration --> Administrative Templates --> Network --> Network Connections --> Windows Firewall --> (Domain / Standard) Profile --> Windows Firewall: Protect all network connections.] When this Group Policy is set to Disabled, no users on the PC(admin or user) can change the firewall settings. From an enterprise level, this makes great sense if there is a seperate 3rd party enterprise firewall being deployed to the PCs and configured. In the same way, I am trying to figure out if it is possible to configure a Vista computer to utilize UAC, and make sure nobody can turn it back off. I believe from an enterprise security perspective, a domain Group Policy that would fulfill this requirement of enforcing the use of UAC would be extremly beneficial. Thoughts?

I too am looking to enforce UAC across my domain. Surprisingly, I have not been unable to find a group policy to enforce UAC. The closest thing I came to was using a batch file and having it run each time the computer starts. The following batch file code will accomplish this: reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f You can't create a Group Policy preference for this either, since a preference is only applied once, and so the user could just disable it again. I'd like to avoid using a batch file for this if possible. Does anyone else have any other way to enforce UAC using Group Policies alone without batch files? Thanks.

Aakash Other than threatening the users who have admin accounts with 'great bodily harm' I don't think there is any way to accomplish this. You might want to implement a company wide policy that anyone with an admin account who does change this setting will have their logon demoted to a 'Standard User' account for 30 days. Sometimes you just need to use a bigger stick. If this post helps to resolve your issue, click the Mark as Answer button at the top of this message.By marking a post as Answered, you help others find the answer faster. Ronnie Vernon Microsoft MVP Windows Desktop Experience

Hi, Under computer configuration > Windows settings > Security settings > Local Policies > Security Options > Scroll down to "User account control" and configure the default behaviour for both administrators and standard users.

Ronnie That should go over pretty well. It'll be my stress reliever YounGun I applied the following settings: User Account Control: Admin Approval Mode for the Built-in Administrator account: Enabled User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for consent User Account Control: Run all administrators in Admin Approval Mode: Enabled Unfortunately, this still doesn't prevent the user from disabling it using the Control Panel, msconfig or directly through the registry. I also verified via rsop.msc that these settings are being successfully applied, so that's not an issue either. Is there anything else I need to enable or that I am missing? Thanks.

Hi, No there isn't. You simply have to run people on standard user accounts so they can't disable UAC.

YounGun: Ok, thanks for confirming this. Do you know if this support is planned for a future update? I know I won't be able to make all of the users non-administrators anytime soon, and so this support would be very useful when we deploy Vista.Just curious, do you know why this feature was not set up to be enforceable like many of the other policies?Thanks.

Hi,I'll try to find out and I'll get back to you.

Hi, I just got word back from the UAC Product Group and they say that if a user has local administrator privileges, he will be able to temporarlymodify UAC-related settings until the policy is re-applied after the given time interval. The question is, why can't you run everyone with standard user? What exactly is not allowing you to do so?

Thanks for getting back to me.You mentioned that after a specific time interval, the GP settings will be re-applied to enforce UAC. This was not what I experienced in my testing. The local admin was able to disable UAC through the Control Panel, restart the computer, and UAC was disabled from that point forward regardless of the settings I had deployed via GP.The development team in our organization has a few in-house programs that help the users do their jobs. These programs are updated every few days. The updates require that the programs be reinstalled for each update (it's the way the development team created these programs). So, to accomplish this, our users need admin access to update these in-house programs.For a few computers that were available to multiple users in an open setting, we found a workaround using scheduled tasks that used the saved credentials of a new update domain account we created for this purpose that is a local admin. The users, who only had user level permissions on this computer, would then run a batch file that in turn runs the scheduled task. If I recall correctly, Vista allows us to schedule tasks using GP now, so we may consider using this approach for these computers in open area. But, we then get to the next issue: users are used to having admin access and used to installing programs on their computer if they want to. Also, management has requested that admin access be provided to most of our users. So, getting away from this method is still going to take time in convincing management. Until then, users need to be kept as local admins of their computer.While I realize that this setup doesn't guarantee the best security, we have been able to work around this by enforcing specific computer settings and firewall settings through GP. With these approaches, local admins were unable to make changes to settings enforced via GP through the standard Windows interface (we'll ignore other more devious ways that users can potentially get around this). This is why I am looking for a method to enforce UAC on the computers. We will definitely attempt to educate our users in the advantages of UAC, but some may decide to still disable it, and we would like to prevent this.

Hi,I will pass your feedback to the PG.If you think about it, having UAC turned on and being an admin is not really an acomplishment. What you could do, to minimize the security risk is to set UAC to automatically elevate. That way, the users aren't seeing any prompts, so they are not tempted to disable UAC but still, you get to keep the benefits of Protected-Mode IE.

"If you think about it, having UAC turned on and being an admin is not really an acomplishment. What you could do, to minimize the security risk is to set UAC to automatically elevate. That way, the users aren't seeing any prompts, so they are not tempted to disable UAC but still, you get to keep the benefits of Protected-Mode IE."You make an interesting point. However, I was also hoping to use UAC so that users are informed when an installation is about to occur. My understanding with UAC is that if a program attempts to install itself and the UAC prompt appears, only the user is allowed to continue the installation because of Secure Desktop vs a background process. Of course this depends on the end user so this is no where near a perfect solution. But, my goal was to educate users so that basically they think twice if they see the UAC prompt when they tried to open a picture or a Word file for instance. Please correct me if my understanding of UAC is incorrect.Thanks.

Hi,Yes, the installation can occur only after the user has approved it. I wrote about UAC, mandatory integrity control, and user interface priviledge isolation here. However, in a corporate enviroment, the recommended setup is that all the users are on standard accounts, elevation for standard accounts is not allowed (not even prompt for credentials), and everything gets installed from a central location using something like SMS. What I was suggesting was something in the middle. Because, in your situation, being able to enforce UAC wouldn't really helped, because people are running with admin accounts. Yes, you could educate them, but I seriously doubt you can teach them the difference between a good program and a bad program (if there is such a thing)If i were you, I would try to control what sites they are allowed to visit, either by using Content Advisor or a HOST file. Also, you should cover yourself by explaining to management what risks running everyone on administrator involves and also what consequences can follow.

Thanks for the info. I agree with you and will probably take the "automatically elevate" route to keep IE protected mode, or try to convince management to keep everyone as users.For filtering, I am looking into using the OpenDNS DNS servers for the few computers that are in public environments to prevent them from getting on to bad sites. I work at a university, so certain level of openness is required and so we can't do aggressive filtering.Thanks.

Hi! In an earlier post, you mentioned that the product group informed you that the UAC enforcement would re-apply at the GP refresh interval. However, this is not what I experienced. Can you verify what GP settings the product group used to have UAC automatically re-enforce itself?Thanks.

Hi,I will and I'll get back to you

Hello, I am also trying to find a way to keep UAC on at all times. I have seen the behavior that after a GP re-apply UAC is back on, but only after a re-apply of GPanda reboot. I amlooking at and briefly tested adding aGPshutdown script to sent UAC on. The main advantage to a shutdown script is that to turn off UAC a reboot is needed. On reboot the shutdown script sets UAC back on before it ever turns off. I set the shutdown script with these values: Script Name: Code SnippetC:\Windows\System32\reg.exe Script Parameters: Code SnippetADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f Still not sure that this is the correct way to handle this. This way can be defeated by removing the shutdown script from group policy registry section so it isnot perfect.I towould like to have the option to lock out all users. Scott

Scott:I tried that approach earlier, and for some reason, it made my shutdown times excessive, so I skipped that approach. Did you experience the same problem? I applied this through GP by creating a shutdown script with the snippet you have above.

Hi Aakash, I did the first time I tried but I was using the command line found in the msconfig utility: C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f Once I dropped the "C:\Windows\System32\cmd.exe /k" from the command I no longer had any slowness on shutdown. Scott

Hey Scott:I too was using the entry from msconfig Thanks for letting me know about how to fix the slow shutdown problem. Hopefully Victor will have some more information from the UAC product team on having UAC automatically re-enable upon a GP refresh.