If you have been using Windows Vista or Server 2008 I am positive you have already seen the User

Account Control in action.

The !" was created to help control unauthori#ed changes to your computer. It does that by either
as$ing you for permission for certain actions or prompting for elevated credentials.
%y having to verify these actions before they e&ecute it should $eep machines safe from malware and
spyware that would in the past install silently.
!" has actually become one of the biggest complaints about Vista being 'unfriendly' to the average
user. Too bad the average user was also the one complaining about how their Windows systems were
getting hi(ac$ed without their $nowledge when they downloaded any number of 'free' things off the
net.
Security always comes at a price and for !" that price is a slightly annoying prompt.
Some of the downsides of course are that so many things are prompted for that users might become
'prompt' blind and (ust clic$ )$ without reading what was actually triggering the ser !ccount
"ontrol. This* of course* would be that same average user who will also be calling you about the 200
pop up ads on their screen every time they open Internet +&plorer.
,ow you could disable !" and let the users out on their own* but I don-t believe this is really a good
option for a lot of reasons. %efore you go the disable route* let-s go in and ta$e a closer loo$ at your
ability to modify the way !" wor$s through .ocal or /roup policy.
Managing User Account Control
I am going to use the .ocal Security 0olicy to modify the !" settings as more than li$ely you will
only want to do this on specific machines. %ut if you want to do this on a mass scale you can also use
/roup 0olicies to push them out to all the machines.
1. Start the .ocal Security 0olicy 11" by clic$ing on Start* Administrative Tools* then Local
Security Policy
2. ,e&t e&pand Local Policies* clic$ on Security Options and scroll to the bottom of the main pane
and you will find all the User Account Control settings you can manage.
.et-s go through these one at a time and ta$e a loo$ at the different settings and how you might use
them.
Admin Approval Mode for te !uilt"in Administrator account#
This option only has two settings either $na%led or &isa%led '&efault(. When +nabled the built2in
!dministrator account will logon in !dmin !pproval mode and any operation that needs elevation will
cause a 0ermit or 3eny prompt. When 3isabled the built2in !dministrator will use 40 compatibility
mode and no prompts will be used when an application needs elevated credentials.
Allo) U*Access applications to prompt for elevation )itout using te secure des+top#
This setting will mostly be used for remote assistance scenarios. When this is &isa%led 'default( and
you are helping someone remotely and a !" prompt is triggered it is sent to what is called a 'secure'
des$top. 5emote users are paused during this and will not see the !" prompt until the local user
ta$es action on this. If you $na%le this setting the prompt will be sent to the interactive des$top and
the remote user will see it and be able to ta$e action.
!eavior of te elevation prompt for administrators in Admin Approval Mode#
This setting will select what $ind of prompt will be shown for !dministrators when wor$ing with
!". There are three options for this setting6 Prompt for consent '&efault(* Prompt for credentials*
or $levate )itout prompting. 0rompt for consent will send up a 0ermit or 3eny pop up that the user
can choose* while the 0rompt for credentials will as$ for user name and password to proceed. I do not
recommend using the +levate without prompting as it will (ust process the command no matter what
elevation is needed.
!eavior of te elevation prompt for standard users#
This setting controls the !" prompt for standard users and you have two choices6 Prompt for
credentials '&efault for ome( and Automatically deny elevation re,uests '&efault for
$nterprise(. %e careful if this is set for !utomatically deny elevation re7uests because when offering
remote assistance to the user you lose the ability to easily elevate processes with your credentials.
&etect application installations and prompt for elevation#
This has two settings either $na%led '&efault for ome( or &isa%led '&efault for $nterprise(. This
setting will detect when a program is being installed and trigger an elevation prompt when enabled. If
you are in an environment where your application installations are controlled through /roup 0olicy or
another mechanism you would want to $eep this disabled.
Only elevate e-ecuta%les tat are signed and validated#
This setting will chec$ to see if the e&ecutable has a signed 08I certificate in the Trusted 0ublisher
Store before elevating* if it does not it will not run. %y default this setting is &isa%led.
Only $levate U*Access applications tat are installed in secure locations#
This setting is $na%led by default and will ma$e sure that any application that is run that re7uest
e&ecution with a I!ccess integrity level must reside in a secure location on the file system. These
locations are6
..90rogram :iles9;subdirectories;
..9Windows9system<29
..90rogram :iles =&8>?9;subdirectories; =>@2bit systems?
If the application is not launched from one of those locations it will not run unless this setting is
disabled.
.un all administrators in Admin Approval Mode#
+nabled by default this is the setting I can maybe see disabling if you are an !dministrator and tire of
being prompted for everything. %y disabling it you would no longer be treated as a standard user by
!". Aust remember that being and !dministrator does not ma$e you impervious to malware and
disabling this will cause the system to be less secure. Bou will also see a warning in the Security
"enter if this is disabled noting that overall security is lowered.
S)itc to te secure des+top )en prompting for elevation#
+ver see the screen go all greyCblac$ when you get a !" prompt and you can-t do anything else until
you answerD Bou have (ust witnessed the secure des$top in action. This setting by default is set to
+nable* but if for some reason you are having issues because of it then you can disable it.
/irtuali0es file and registry )rite failures to per"user locations#
Some legacy applications would directly interact with certain parts of the file system and registry. In
VistaCServer 2008 this access is restricted so these applications can fail. This setting will enable a
compatibility redirection for these applications so they can still run. It will not wor$ for every
application* but can help. The default for this setting is enabled.
Bou have now seen all the configurations available for !" in Vista and Server 2008. ,otice they can
be divided into two groups6 Things that will trigger !" or how it acts* and Eow the prompt is
presented to the user.
I strongly feel that between all these options you can configure them in a way that will $eep your users
protected and minimi#e the inconvenience to them without disabling it.
&isa%le UAC
That being said* I am still going to show you a 7uic$ and easy way to disable !" on both Windows
Vista and Server 2008. This is not the only way to do it* there are a few others* but this will get the (ob
done and you can also enable !" in the same location.
1. "lic$ on Start* in the search line type MSCO12*3 and hit enter.
2. "lic$ on the Tools tab* scroll down until you see &isa%le UAC* and then clic$ Launc.
4. !fter a second a command window will pop up saying 5Te operation completed
successfully.6,uotF "lose the window and reboot your machine.
If you want to re2enable it (ust do the same but choose $na%le UAC in step 2.
Summary
When I first started using Vista I was pretty annoyed at the !" prompts but over a year later* I am so
used to them* that I (ust 7uic$ly glance at what initiated it and move on.
If you must modify the default behavior hopefully this article will help you formulate a compromise
that will still $eep your systems secure.