Disable UAC for all admins (not just for the SID -500 Administrator)but enable it for Standard Users

Discussion in 'Windows Vista Administration' started by Thorsten Butz, Oct 16, 2007.

  1. I want to achieve, that administrative accounts are completely free,
    they shall not be restricted by UAC.
    I can do that for the Root-Administrator-Account, the one with the -500
    SID. But I want to free "john doe", if he is Domain Administrator.

    "Elevate without prompting" is not adequate, because programs that do
    not force an elevation of rights ("asInvoker") would run with the
    stripped down token.

    So, why can't I do that? Or: how? Any ideas?

    Thanks Thorsten
     
    Thorsten Butz, Oct 16, 2007
    #1
    1. Advertisements

  2. Hello Thorsten,

    Thank you for using newsgroup!

    As far as I know, by default the built-in Administrator account is not
    being controlled by UAC. However, we can modify the following local
    security policy to enable UAC for built-in Administrator account:
    Computer Configuration\Windows Settings\Security Settings\Local
    Policies\Security Options\User Access Control: Admin Approval Mode for the
    Built-in Administrator account

    We cannot enable/disable UAC for any other particular user accounts. It is
    by design behavior in Windows Vista.

    Thanks & Regards,

    Ken Zhao

    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Ken Zhao [MSFT], Oct 17, 2007
    #2
    1. Advertisements

  3. Hello Ken!

    17.10.2007 05:51, Ken Zhao [MSFT]s Mail:
    You are partially right: the built-in Admin account ist not controlled
    by UAC (by default).

    Configuring the gpo-setting above is equal to disabling the UAC
    completely. The setting's caption is unclear/mistakeble: you do not
    disable the UAC for admins, you do disable the UAC at all, Standard
    users are no longer controlled by UAC, too.

    Thorsten
     
    Thorsten Butz, Oct 17, 2007
    #3
  4. Sorry, i made a mistake reading your reply:
    I thought of this setting (but you didnt mention this one):

    "User Account Control: Run all administrators in Admin Approval Mode"

    This is the setting that I focussed on. I can not understand, why this
    "design" was chosen. I want to enable UAC for standard users, and
    disabled it for any administrative account, not just the built-in.

    Thorsten

    17.10.2007 05:51, Ken Zhao [MSFT]s Mail:
     
    Thorsten Butz, Oct 17, 2007
    #4
  5. Hi Thorsten,

    Thanks for your reply and this is by design behavior in Windows Vista. I do
    understand your concerns. From my point of view, I understand your feeling
    and how frustrated when you find that our product cannot meet your needs.
    So, it is my pleasure to help you to reflect your recommendation to the
    proper department for their consideration.

    In addition, please feel free to submit your suggestion on our product to
    the following link. Our Product Group reviews the suggestions submitted by
    our customers. Your feedback is valuable for us to improve our products and
    increase the level of service provided.

    https://support.microsoft.com/common/survey.aspx?scid=sw;en;1208&showpage=1&
    ws=search

    Thanks & Regards,

    Ken Zhao

    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Ken Zhao [MSFT], Oct 18, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.