Is UAC needed for Standard Users?
In our XP environment, our users are ‘standard users’, only a few are local administrators. In our migration to Windows 7, is it OK to turn off UAC for users who are only 'standard users'? Folks who are local administrators on their machines, use UAC. UAC essentially creates two identities, one as a ‘standard user’ and one as an administrator. By default, you use the system as a standard user until you try to make a change that requires administrator permissions. An administrator level change will prompt the UAC to confirm the change. My understanding is that for ‘standard users’ who cannot make administrator type changes, having the UAC off is OK. But, I want to confirm this understanding.
July 22nd, 2010 12:53am

In message <2104ecae-0c8f-4619-b029-e0f773cb90b4@communitybridge.codeplex.com> rosenstc was claimed to have wrote: In our XP environment, our users are standard users, only a few are local administrators.  In our migration to Windows 7, is it OK to turn off UAC for  users who are only 'standard users'?  Folks who are local administrators on their machines, use UAC.  UAC essentially creates two identities, one as a standard user and one as an administrator.  By default, you use the system as a standard user until you try to make a change that requires administrator permissions.  An administrator level change will prompt the UAC to confirm the change. My understanding is that for standard users who cannot make administrator type changes, having the UAC off  is OK.  But, I want to confirm this understanding. The primary UI advantage UAC may offer for standard users is that it's easier to elevate, applications can popup and request administrative credentials rather than simply being denied access. Underneath, UAC is also responsible for file system and registry virtualization. This is what allows poorly written applications that attempt to write to "System" areas of the disk (C:\Program Files, C:\Windows, etc) to function when run as a limited user. These applications are fewer and further but they do still exist. You'll also find oddball applications that rely on UAC for other reasons, several releases of Adobe Reader wouldn't install with UAC disabled, although I believe that particular issue finally got resolved. UAC can be turned off if needed, but honestly I wouldn't unless there is a compelling reason.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 3:58am

In message <2104ecae-0c8f-4619-b029-e0f773cb90b4@communitybridge.codeplex.com> rosenstc was claimed to have wrote: In our XP environment, our users are standard users, only a few are local administrators.  In our migration to Windows 7, is it OK to turn off UAC for  users who are only 'standard users'?  Folks who are local administrators on their machines, use UAC.  UAC essentially creates two identities, one as a standard user and one as an administrator.  By default, you use the system as a standard user until you try to make a change that requires administrator permissions.  An administrator level change will prompt the UAC to confirm the change. My understanding is that for standard users who cannot make administrator type changes, having the UAC off  is OK.  But, I want to confirm this understanding. The primary UI advantage UAC may offer for standard users is that it's easier to elevate, applications can popup and request administrative credentials rather than simply being denied access. Underneath, UAC is also responsible for file system and registry virtualization. This is what allows poorly written applications that attempt to write to "System" areas of the disk (C:\Program Files, C:\Windows, etc) to function when run as a limited user. These applications are fewer and further but they do still exist. You'll also find oddball applications that rely on UAC for other reasons, several releases of Adobe Reader wouldn't install with UAC disabled, although I believe that particular issue finally got resolved. UAC can be turned off if needed, but honestly I wouldn't unless there is a compelling reason.
July 22nd, 2010 3:58am

Hi, I just performed a test and find that disable UAC with an administrator account will disable UAC for all the users on the local machine. The standard users cannot disable UAC. What I mean is that if you disable UAC for standard users, it will also disable UAC for the administrator users. Based on this point, I don’t recommend you disable UAC. Although UAC has no obvious effect on standard users, it does protect the system potentially. For more information about UAC, please read the following article: Inside Windows 7 User Account Control Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 6:10am

Hi, I just performed a test and find that disable UAC with an administrator account will disable UAC for all the users on the local machine. The standard users cannot disable UAC. What I mean is that if you disable UAC for standard users, it will also disable UAC for the administrator users. Based on this point, I don’t recommend you disable UAC. Although UAC has no obvious effect on standard users, it does protect the system potentially. For more information about UAC, please read the following article: Inside Windows 7 User Account Control Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 22nd, 2010 6:10am

UAC has indeed a very hidden effect which required me to enable it again and fight with all it's side effects - if it is off for standard users, the otherwise correctly configured the ActiveX Installer Service does no longer function. Best greetings from Germany Olaf
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 11:09am

UAC has indeed a very hidden effect which required me to enable it again and fight with all it's side effects - if it is off for standard users, the otherwise correctly configured the ActiveX Installer Service does no longer function. Best greetings from Germany Olaf
July 22nd, 2010 11:09am

In message <17f35de9-10bf-4643-9eb5-2d302e278ba8@communitybridge.codeplex.com> Arthur_Li [MSFT] was claimed to have wrote: Based on this point, I dont recommend you disable UAC. Although UAC has no effect on standard users. This is absolutely not true, UAC impacts standard users too in that they're not offered to elevate when a task requires elevation and instead simply denied access. Standard users would need to input a set of administrative credentials, but UAC makes it clear how to proceed when needed. Perhaps more importantly, the entire application virtualization functionality of recent Windows releases relies upon UAC.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 10:07pm

In message <17f35de9-10bf-4643-9eb5-2d302e278ba8@communitybridge.codeplex.com> Arthur_Li [MSFT] was claimed to have wrote: Based on this point, I dont recommend you disable UAC. Although UAC has no effect on standard users. This is absolutely not true, UAC impacts standard users too in that they're not offered to elevate when a task requires elevation and instead simply denied access. Standard users would need to input a set of administrative credentials, but UAC makes it clear how to proceed when needed. Perhaps more importantly, the entire application virtualization functionality of recent Windows releases relies upon UAC.
July 22nd, 2010 10:07pm

The users in our corporation currently run Windows XP and are all 'standard users'. Their applications run fine without elevated privledges. So, we don't really need that. When testing these same legacy applications under Windows 7 and UAC turned on, we get a pop-up warning, "Do you want to allow the following program from an unkown publisher to make changes to this computer?"... This is annoying, and I know that I can create a task with a shortcut pointing to this task to bypass this message. But, I guess I'm still missing the compelling reason why we need to turn on UAC to allow standard users to be offered elevated permissions. One thing that may be compelling, is that we have had issues with standard users getting malware browsing the Internet... With UAC turned off, IE Protected Mode is also off. Does running IE8 in protected mode for 'standard users' provide better protection against malware?
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 11:57pm

The users in our corporation currently run Windows XP and are all 'standard users'. Their applications run fine without elevated privledges. So, we don't really need that. When testing these same legacy applications under Windows 7 and UAC turned on, we get a pop-up warning, "Do you want to allow the following program from an unkown publisher to make changes to this computer?"... This is annoying, and I know that I can create a task with a shortcut pointing to this task to bypass this message. But, I guess I'm still missing the compelling reason why we need to turn on UAC to allow standard users to be offered elevated permissions. One thing that may be compelling, is that we have had issues with standard users getting malware browsing the Internet... With UAC turned off, IE Protected Mode is also off. Does running IE8 in protected mode for 'standard users' provide better protection against malware?
July 22nd, 2010 11:57pm

Hi, When talking about elevating privilege, I support Dave J Warren’s opinion. Internet Explorer protected mode is a feature that makes it more difficult for malicious software to be installed on your computer. In addition to helping protect your computer from malicious software, protected mode allows you to install wanted ActiveX controls or add-ons when you are logged in as an administrator. For more information, please refer to the following link: http://windows.microsoft.com/en-US/Windows7/What-does-Internet-Explorer-protected-mode-do Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 8:06am

Hi, When talking about elevating privilege, I support Dave J Warren’s opinion. Internet Explorer protected mode is a feature that makes it more difficult for malicious software to be installed on your computer. In addition to helping protect your computer from malicious software, protected mode allows you to install wanted ActiveX controls or add-ons when you are logged in as an administrator. For more information, please refer to the following link: http://windows.microsoft.com/en-US/Windows7/What-does-Internet-Explorer-protected-mode-do Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 23rd, 2010 8:06am

Hi, Another blog blow can explain the importance of protected mode. Protected mode works as a sandbox. Disable protected mode for standard user, the system will be in danger. If you disable UAC, protected mode will be disabled. I would like to say UAC is also important for standard users. http://blogs.msdn.com/b/ieinternals/archive/2009/12/01/understanding-internet-explorer-security-protected-mode-elevation-dialog.aspx Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 11:53am

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 26th, 2010 4:49am

Based on your comments, I think I will deploy our new workstations to our 'standard users' with UAC turned on to the default level as a safeguard. The protected mode in IE is probably the most compelling reason as I would like users to at least get a warning prior to some malware like the FAKE-AV trojan gets installed. Thanks for all of your input. Chris
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 6:36pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics