Disable UAC as oppoed to similar Group Policy?

Hi,

With UAC there's a local option to disable it in CP, but if you look at
local GP, there are different components that make up UAC and you can
control them on a granular basis.

My question is this:

1. If I disable UAC on the local machine, will it automatically set all
local group policies to the disabled state?

2. If I set all UAC group policies to disabled on a domain joined box,
will UAC actually be "Off" at that point (as in #1) or will it still be
"On" but not doing much?

3. If I disable UAC in CP, but set a domain GP to enforce all components
to be enabled, will it then make UAC come back on again?

I'm also interested to know which service/process controls UAC and the
filtered token, which of the above strategies would KILL the filtered
token completely?

--
Gerry Hickman (London UK)

Thanks Jimmy,

This is helpful! Especially the "big daddy" clarification

Jimmy Brush wrote:
>> 1. If I disable UAC on the local machine, will it automatically set all
>> local group policies to the disabled state?
>
> No. The UAC checkbox in the users control panel and msconfig simply changes
> the group policy setting for admin approval mode for administrators group.
> This is the "big daddy" group policy setting that turns everything on or off.
> Most of the other settings simply control how UAC behaves when this setting
> is enabled.
>
>> 2. If I set all UAC group policies to disabled on a domain joined box,
>> will UAC actually be "Off" at that point (as in #1) or will it still be
>> "On" but not doing much?
>
> The enable admin approval mode for administrators group group policy entry
> turns UAC on or off.
>
>> 3. If I disable UAC in CP, but set a domain GP to enforce all components
>> to be enabled, will it then make UAC come back on again?
>
> Sounds about right.
>
>> I'm also interested to know which service/process controls UAC and the
>> filtered token, which of the above strategies would KILL the filtered
>> token completely?
>
> I think UAC is part of the Windows OS and not an "add on" like a system
> service, although I may be wrong on this point.
>
> - JB


--
Gerry Hickman (London UK)

>> 3. If I disable UAC in CP, but set a domain GP to enforce all
components
>> to be enabled, will it then make UAC come back on again?
>
> Sounds about right.

There is a solution for this, a NT Service that keeps the UAC setting
off..

you can find it at 'http://blog.halan.se' (http://tinyurl.com/yplw8w)


--
dannyCage
Posted via http://www.vistaheads.com