Home  Services   |   Hosting   |  Collocation   |  Application Hosting  |   Support  |  Helpful Links   |  Contact Us   |  Schedule Service Online

Today's News
Action for Windows users:
 
 

Windows User Account Control Step-by-Step Guide

This step-by-step guide provides the instructions necessary to use User Account Control (UAC) in a test environment.

This document is not intended to provide a comprehensive, detailed description of UAC. Additional resources include the following:

All users of this step-by-step guide will also be interested in Getting Started with User Account Control on Windows Vista (http://go.microsoft.com/fwlink/?LinkID=102562 ).

For additional information for IT professionals, see Understanding and Configuring User Account Control in Windows Vista (http://go.microsoft.com/fwlink/?LinkId=56402 ).

For information for developers and independent software vendors about how to develop applications for Windows Vista® or Windows Server® 2008, see The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC) (http://go.microsoft.com/fwlink/?LinkId=89654 ).

What is User Account Control?

User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

 

Note:

 

UAC is also a component of Windows Server 2008.

When an administrator logs on to a computer running Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows® to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.

The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks and can only install per-user software.

To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.

Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.

 

Important:

 

Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment will affect the prompts and dialog boxes seen by standard users, administrators, or both.

Who should use this guide?

This guide is intended for the following audiences:

IT planners and analysts who are evaluating the product

Security architects who are responsible for implementing trustworthy computing

Administrators who need to control the behavior of UAC

Why use this guide?

The groups listed above should use this guide to test how their line-of-business (LOB) applications run in Windows Vista. Because UAC makes a clear distinction between administrator and standard user processes, some existing LOB applications might need to be either redesigned by the independent software vendor (ISV) or internal tools team, or marked to always run elevated.

In this guide

Requirements for User Account Control

Key scenarios for User Account Control

Scenario 1: Requesting an application to run elevated one time

Scenario 2: Marking an application to always run elevated

Scenario 3: Configure User Account Control

Logging bugs and feedback

Additional Resources

Requirements for User Account Control

We recommend that you first use the steps provided in this guide in a test environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Vista features without accompanying documentation (as listed in the Additional resources section), and should be used with discretion as a stand-alone document.

Setting up the test lab

The lab configuration needed for testing UAC includes a domain controller running Windows Server 2008 (or Windows Server® 2003) a member server running Windows Server 2008 (or Windows Server 2003), and a client computer running Windows Vista. The domain controller, member server, and the client computer should be on an isolated network and should be connected through a common hub or Layer 2 switch. Private addresses should be used throughout the test configuration.

Top of pageTop of page

Key scenarios for User Account Control

This guide covers the following scenarios for UAC:

Scenario 1: Request an application to run elevated one time

Scenario 2: Mark an application to always run elevated

Scenario 3: Configure User Account Control

 

 

Note:

 

The three scenarios included in this guide are intended to help administrators become familiar with the UAC feature of Windows Vista. They include the basic information and procedures administrators need to start using UAC. Information and procedures for advanced or customized UAC configurations are not included in this guide.

Top of pageTop of page

Scenario 1: Request an application to run elevated one time

In Windows Vista, UAC and its Admin Approval Mode are enabled by default. When UAC is enabled, local administrator accounts run as standard user accounts. This means that when a member of the local Administrators group logs on, they run with their administrative privileges disabled. This is the case until they attempt to run an application or task that has an administrative token. When a member of the local Administrators group attempts to start such an application or task, they are prompted to consent to running the application as elevated. Scenario 1 details the procedure to run an application or task as elevated one time.

 

Note:

 

To perform the following procedure, you must be logged into a client computer as a member of the local administrators group. You cannot be logged in with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account. (The built-in administrator account is disabled on new installations of Windows Vista.)

 

 

To request an application to run elevated one time

 

1.

Start an application that is likely to have been assigned an administrative token, such as Microsoft Windows Disk Cleanup. A User Account Control prompt is displayed.

2.

Verify that the details presented match the request you initiated.

3.

In the User Account Control dialog box, click Continue to start the application.

 

Top of pageTop of page

Scenario 2: Configure an application to always run elevated

Scenario 2 is similar to the previous scenario in that you want to run an application or process as elevated with the administrator access token. However, in this scenario you want to run an application that has not been marked by the developer or identified by the operating system as an administrative application. Some applications, such as internal line-of-business applications or non-Microsoft products might require administrative rights but have not been identified as such. In this scenario, you mark an application to prompt user for consent, and if granted, run as an administrative application. The following procedure steps you through that process.

 

Note:

 

To perform the following procedure, you must be logged into a client computer as a member of the local administrators group. You cannot be logged in with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account.

 

 

Important:

 

This procedure cannot be used to prevent UAC from prompting for consent to run an administrative application.

 

 

To configure an application to always run elevated

 

1.

Right-click an application that is not likely to have been assigned an administrative token, such as a word processing application.

2.

Click Properties, and then select the Compatibility tab.

3.

Under Privilege Level, select Run this program as an administrator, and then click OK.

 

Note:

 

If the Run this program as an administrator option is unavailable, it means that the application is blocked from always running elevated, the application does not require administrative credentials to run, the application is part of the current version of Windows Vista, or you are not logged into the computer as an administrator.

 

 

Top of pageTop of page

Scenario 3: Configure User Account Control

Scenario 3 outlines some common tasks that local administrators perform during the set up and configuration of client computers running Windows Vista. The following procedures step you through the tasks of turning off UAC, disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.

 

Important:

 

Advanced configuration options for UAC are not available in Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

Turning off UAC

Use the following procedure to disable UAC.

To perform the following procedure, you must be able to log on with or provide the credentials of a member of the local Administrators group.

 

Important:

 

Turning off UAC reduces the security of your computer and may expose you to increased risk from malicious software. We do not recommend leaving UAC disabled.

 

 

To turn off UAC

 

1.

Click Start, and then click Control Panel.

2.

In Control Panel, click User Accounts.

3.

In the User Accounts window, click User Accounts.

4.

In the User Accounts tasks window, click Turn User Account Control on or off.

5.

If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.

6.

Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK.

7.

Click Restart Now to apply the change right away, or click Restart Later and close the User Accounts tasks window.

 

Disable Admin Approval Mode

Use the following procedure to disable Admin Approval Mode.

 

Note:

 

To perform the following procedure, you must be logged into a client computer as a local administrator.

 

 

Important:

 

This procedure is not supported on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

 

 

To disable Admin Approval Mode

 

1.

Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

2.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue..

3.

From the Local Security Settings console tree, double-click Local Policies, and then double-click Security Options.

4.

Scroll down and double-click User Account Control: Run all administrators in Admin Approval Mode.

5.

Select the Disabled option, and then click OK.

6.

Close the Local Security Settings window.

 

Disable User Account Control from prompting for credentials to install applications

Use the following procedure to disable UAC from prompting for credentials to install applications.

 

Note:

 

To perform the following procedure, you must be logged into a client computer as a local administrator.

 

 

Important:

 

This procedure is not supported on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

 

 

To disable UAC from prompting for credentials to install applications

 

1.

Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.

2.

From the Local Security Settings console tree, click Local Policies, and then Security Options.

3.

Scroll down and double-click User Account Control: Detect application installations and prompt for elevation.

4.

Select the Disabled option, and then click OK.

5.

Close the Local Security Settings window.

 

Change the elevation prompt behavior

Use the following procedures to change the elevation prompt behavior for UAC. You can configure the behavior of the elevation prompt separately for administrators and for standard users.

 

Note:

 

To perform the following procedures, you must be logged on to a client computer as a local administrator.

 

 

Important:

 

These procedures are not supported on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

 

 

To change the elevation prompt behavior for administrators

 

1.

Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

2.

From the Local Security Settings console tree, click Local Policies, and then Security Options.

3.

Scroll down to and double-click User Account Control: Behavior of the elevation prompt for administrators.

4.

From the drop-down menu, select one of the following settings:

Elevate without prompting (tasks requesting elevation will automatically run as elevated without prompting the administrator)

Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated)

Prompt for consent (default setting for administrators)

 

5.

Click OK.

6.

Close the Local Security Settings window.

 

 

 

To change the elevation prompt behavior for standard users

 

1.

Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

2.

From the Local Security Settings console tree, click Local Policies, and then Security Options.

3.

Scroll down to and double-click User Account Control: Behavior of the elevation prompt for standard users.

4.

From the drop-down menu, select one of the following settings:

Automatically deny elevation requests (standard users will not be able to run programs requiring elevation, and will not be prompted)

Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated, and is the default for standard users)

 

5.

Click OK.

6.

Close the Local Security Settings window.

 

Top of pageTop of page

Troubleshooting and Support

Since UAC is a feature of Windows Vista, support is available directly from Microsoft and from user communities. For information about support, see http://go.microsoft.com/fwlink/?LinkID=76619 .

 



©2012 DSM Electronics, Inc. All rights reserved.   Terms of Use  |  Privacy Statement  |  Hosting Policy  |  Billing Policy  |  Contact US