Is UAC needed for Standard Users?
In our XP environment, our users are ‘standard users’, only a few are local administrators. In our migration to Windows
7, is it OK to turn off UAC for users who are only 'standard users'?
Folks who are local administrators on their machines, use UAC. UAC essentially creates two identities, one as a ‘standard user’
and one as an administrator. By default, you use the system as a standard user until you try to make a change that requires administrator permissions. An administrator level change will prompt the UAC to confirm the change.
My understanding is that for ‘standard users’ who cannot make administrator type changes, having the UAC off is OK.
But, I want to confirm this understanding.
July 22nd, 2010 12:53am
In message
<2104ecae-0c8f-4619-b029-e0f773cb90b4@communitybridge.codeplex.com>
rosenstc was claimed to have wrote:
In our XP environment, our users are standard users, only a few are local administrators. In our migration to Windows 7, is it OK to turn off UAC for
users who are only 'standard users'?
Folks who are local administrators on their machines, use UAC. UAC essentially creates two identities, one as a standard user and one as an administrator. By default, you use the system as a standard user until you try to make a change that requires
administrator permissions. An administrator level change will prompt the UAC to confirm the change.
My understanding is that for standard users who cannot make administrator type changes, having the UAC off is OK. But, I want to confirm this understanding.
The primary UI advantage UAC may offer for standard users is that it's
easier to elevate, applications can popup and request administrative
credentials rather than simply being denied access.
Underneath, UAC is also responsible for file system and registry
virtualization. This is what allows poorly written applications that
attempt to write to "System" areas of the disk (C:\Program Files,
C:\Windows, etc) to function when run as a limited user. These
applications are fewer and further but they do still exist.
You'll also find oddball applications that rely on UAC for other
reasons, several releases of Adobe Reader wouldn't install with UAC
disabled, although I believe that particular issue finally got resolved.
UAC can be turned off if needed, but honestly I wouldn't unless there is
a compelling reason.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 3:58am
In message
<2104ecae-0c8f-4619-b029-e0f773cb90b4@communitybridge.codeplex.com>
rosenstc was claimed to have wrote:
In our XP environment, our users are standard users, only a few are local administrators. In our migration to Windows 7, is it OK to turn off UAC for
users who are only 'standard users'?
Folks who are local administrators on their machines, use UAC. UAC essentially creates two identities, one as a standard user and one as an administrator. By default, you use the system as a standard user until you try to make a change that requires
administrator permissions. An administrator level change will prompt the UAC to confirm the change.
My understanding is that for standard users who cannot make administrator type changes, having the UAC off is OK. But, I want to confirm this understanding.
The primary UI advantage UAC may offer for standard users is that it's
easier to elevate, applications can popup and request administrative
credentials rather than simply being denied access.
Underneath, UAC is also responsible for file system and registry
virtualization. This is what allows poorly written applications that
attempt to write to "System" areas of the disk (C:\Program Files,
C:\Windows, etc) to function when run as a limited user. These
applications are fewer and further but they do still exist.
You'll also find oddball applications that rely on UAC for other
reasons, several releases of Adobe Reader wouldn't install with UAC
disabled, although I believe that particular issue finally got resolved.
UAC can be turned off if needed, but honestly I wouldn't unless there is
a compelling reason.
July 22nd, 2010 3:58am
Hi,
I just performed a test and find that disable UAC with an administrator account will disable UAC for all the users on the local machine. The standard
users cannot disable UAC. What I mean is that if you disable UAC for standard users, it will also disable UAC for the administrator users.
Based on this point, I don’t recommend you disable UAC. Although UAC has no obvious effect on standard users, it does protect the system potentially.
For more information about UAC, please read the following article:
Inside Windows 7 User Account Control
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 6:10am
Hi,
I just performed a test and find that disable UAC with an administrator account will disable UAC for all the users on the local machine. The standard
users cannot disable UAC. What I mean is that if you disable UAC for standard users, it will also disable UAC for the administrator users.
Based on this point, I don’t recommend you disable UAC. Although UAC has no obvious effect on standard users, it does protect the system potentially.
For more information about UAC, please read the following article:
Inside Windows 7 User Account Control
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 22nd, 2010 6:10am
UAC has indeed a very hidden effect which required me to enable it again and fight with all it's side effects - if it is off for standard users, the otherwise correctly configured the ActiveX Installer Service does no longer function.
Best greetings from Germany
Olaf
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 11:09am
UAC has indeed a very hidden effect which required me to enable it again and fight with all it's side effects - if it is off for standard users, the otherwise correctly configured the ActiveX Installer Service does no longer function.
Best greetings from Germany
Olaf
July 22nd, 2010 11:09am
In message
<17f35de9-10bf-4643-9eb5-2d302e278ba8@communitybridge.codeplex.com>
Arthur_Li [MSFT] was claimed to have wrote:
Based on this point, I dont recommend you disable UAC. Although UAC has no effect on standard users.
This is absolutely not true, UAC impacts standard users too in that
they're not offered to elevate when a task requires elevation and
instead simply denied access. Standard users would need to input a set
of administrative credentials, but UAC makes it clear how to proceed
when needed.
Perhaps more importantly, the entire application virtualization
functionality of recent Windows releases relies upon UAC.
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 10:07pm
In message
<17f35de9-10bf-4643-9eb5-2d302e278ba8@communitybridge.codeplex.com>
Arthur_Li [MSFT] was claimed to have wrote:
Based on this point, I dont recommend you disable UAC. Although UAC has no effect on standard users.
This is absolutely not true, UAC impacts standard users too in that
they're not offered to elevate when a task requires elevation and
instead simply denied access. Standard users would need to input a set
of administrative credentials, but UAC makes it clear how to proceed
when needed.
Perhaps more importantly, the entire application virtualization
functionality of recent Windows releases relies upon UAC.
July 22nd, 2010 10:07pm
The users in our corporation currently run Windows XP and are all 'standard users'. Their applications run fine without elevated privledges. So, we don't really need that. When testing these same legacy applications under Windows 7 and UAC turned on,
we get a pop-up warning, "Do you want to allow the following program from an unkown publisher to make changes to this computer?"...
This is annoying, and I know that I can create a task with a shortcut pointing to this task to bypass this message. But, I guess I'm still missing the compelling reason why we need to turn on UAC to allow standard users to be offered elevated permissions.
One thing that may be compelling, is that we have had issues with standard users getting malware browsing the Internet... With UAC turned off, IE Protected Mode is also off.
Does running IE8 in protected mode for 'standard users' provide better protection against malware?
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2010 11:57pm
The users in our corporation currently run Windows XP and are all 'standard users'. Their applications run fine without elevated privledges. So, we don't really need that. When testing these same legacy applications under Windows 7 and UAC turned on,
we get a pop-up warning, "Do you want to allow the following program from an unkown publisher to make changes to this computer?"...
This is annoying, and I know that I can create a task with a shortcut pointing to this task to bypass this message. But, I guess I'm still missing the compelling reason why we need to turn on UAC to allow standard users to be offered elevated permissions.
One thing that may be compelling, is that we have had issues with standard users getting malware browsing the Internet... With UAC turned off, IE Protected Mode is also off.
Does running IE8 in protected mode for 'standard users' provide better protection against malware?
July 22nd, 2010 11:57pm
Hi,
When talking about elevating
privilege, I support Dave J Warren’s opinion.
Internet Explorer protected mode is a feature that makes it more difficult for malicious software to be installed on your computer.
In addition to helping protect your computer from malicious software, protected mode allows you to install wanted ActiveX controls or add-ons when you
are logged in as an administrator.
For more information, please refer to the following link:
http://windows.microsoft.com/en-US/Windows7/What-does-Internet-Explorer-protected-mode-do
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 8:06am
Hi,
When talking about elevating
privilege, I support Dave J Warren’s opinion.
Internet Explorer protected mode is a feature that makes it more difficult for malicious software to be installed on your computer.
In addition to helping protect your computer from malicious software, protected mode allows you to install wanted ActiveX controls or add-ons when you
are logged in as an administrator.
For more information, please refer to the following link:
http://windows.microsoft.com/en-US/Windows7/What-does-Internet-Explorer-protected-mode-do
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 23rd, 2010 8:06am
Hi,
Another blog blow can explain the importance of protected mode. Protected mode works as a sandbox. Disable protected mode for standard user, the system
will be in danger. If you disable UAC, protected mode will be disabled. I would like to say UAC is also important for standard users.
http://blogs.msdn.com/b/ieinternals/archive/2009/12/01/understanding-internet-explorer-security-protected-mode-elevation-dialog.aspx
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 11:53am
Hi,
I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will
be happy to help.
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
July 26th, 2010 4:49am
Based on your comments, I think I will deploy our new workstations to our 'standard users' with UAC turned on to the default level as a safeguard. The protected mode in IE is probably the most compelling reason as I would like users to at least
get a warning prior to some malware like the FAKE-AV trojan gets installed.
Thanks for all of your input.
Chris
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 6:36pm