Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 : Software and User Account Control Administration (part 3) - Mastering User Account Control - Configuring UAC and Admin Approval Mode

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
1/28/2015 8:32:58 PM

Configuring UAC and Admin Approval Mode

In Group Policy under Local Policies\Security Options, five security settings determine how Admin Approval Mode and elevation prompting works. Table 1 summarizes these security settings. Remember, Group Policy gives you the flexibility to configure UAC as needed for specific environments. For example, if servers at a remote office are in a separate GPO from workstations at that office, you could configure UAC for servers one way and UAC for workstations another way.

Table 1. Security settings related to Admin Approval Mode

Security Setting

Description

User Account Control: Admin Approval Mode For The Built-in Administrator Account

Determines whether users and processes running as the built-in local administrator account are subject to Admin Approval Mode. By default, this feature is disabled, which means the built-in local administrator account is not subject to Admin Approval Mode or to the elevation-prompt behavior stipulated for other administrators in Admin Approval Mode. If you enable this setting, users and processes running as the built-in local administrator will be subject to Admin Approval and also subject to the elevation-prompt behavior stipulated for other administrators in Admin Approval Mode.

User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode

Determines whether administrators subject to Admin Approval Mode see an elevation prompt when running administrator applications, and also determines how the elevation prompt works. By default, administrators are prompted for consent when running administrator applications. You can configure this option so that administrators are prompted for credentials, as is the case with standard users. You can also configure this option so that administrators are not prompted at all—in which case, the administrator will not be able to elevate privileges. This doesn’t prevent administrators from pressing and holding or right-clicking an application shortcut and selecting Run As Administrator.

User Account Control: Behavior Of The Elevation Prompt For Standard Users

Determines whether users logged on with a standard user account see an elevation prompt when running administrator applications. By default, users logged on with a standard user account are prompted for the credentials of an administrator when running administrator applications. You can also configure this option so that users are not prompted—in which case, the users will not be able to elevate privileges by supplying administrator credentials. This doesn’t prevent users from pressing and holding or right-clicking an application shortcut and selecting Run As Administrator.

User Account Control: Run All Administrators In Admin Approval Mode

Determines whether users logged on with an administrator account are subject to Admin Approval Mode. By default, this feature is enabled, which means administrators are subject to Admin Approval Mode and further subject to the elevation-prompt behavior stipulated for administrators in Admin Approval Mode. If you disable this setting, users logged on with an administrator account are not subject to Admin Approval and therefore are not subject to the elevation-prompt behavior stipulated for administrators in Admin Approval Mode.

User Account Control: Switch To The Secure Desktop When Prompting For Elevation

Determines whether Windows Server switches to the secure desktop before prompting for elevation. As the name implies, the secure desktop restricts the programs and processes that have access to the desktop environment. In this way, it reduces the possibility that a malicious program or user could gain access to the process being elevated. By default, this security option is enabled. If you don’t want Windows Server to switch to the secure desktop prior to prompting for elevation, you can disable this setting. However, if you do this, you’ll make the computer more susceptible to malware and attack.

In a domain environment, you can use Microsoft Active Directory–based Group Policy to apply the desired security configuration to a particular set of computers. Simply configure the desired settings to a Group Policy Object (GPO) that applies to those computers.

For workgroup configurations or for a special case, you can configure these security settings on a per-computer basis using local security policy. To access local security policy and configure UAC settings, follow these steps:

  1. Select Local Security Policy on the Tools menu in Server Manager. This starts the Local Security Policy console.

  2. In the console tree, under Security Settings, expand Local Policies and then select Security Options, as shown in Figure 3.

    Configure UAC options through local security policy.
    Figure 3. Configure UAC options through local security policy.
  3. Double-tap or double-click User Account Control: Admin Approval Mode For The Built-in Administrator Account. This opens the related properties dialog box shown in Figure 4. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.

    Configure Admin Approval Mode for the built-in Administrator account.
    Figure 4. Configure Admin Approval Mode for the built-in Administrator account.
  4. Double-tap or double-click User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode. The available options are used as follows:

    • Elevate Without Prompting Enters Admin Approval Mode, and elevates to the user’s highest available privileges without prompting for consent or credentials.

    • Prompt For Credentials On The Secure Desktop Switches to the secure desktop, and then prompts for credentials before elevating to the user’s highest available privileges.

    • Prompt For Consent On The Secure Desktop Switches to the secure desktop, and then prompts for consent before elevating to the user’s highest available privileges.

    • Prompt For Credentials Prompts for credentials before elevating to the user’s highest available privileges, but doesn’t switch to the secure desktop.

    • Prompt For Consent Prompts for consent before elevating to the user’s highest available privileges, but doesn’t switch to the secure desktop.

    • Prompt For Consent For Non-Windows Binaries When running non-Windows applications that require elevation, prompts for consent on the secure desktop before elevating to the user’s highest available privileges. This is the default.

  5. Double-tap or double-click User Account Control: Behavior Of The Elevation Prompt For Standard Users. The available options are Automatically Deny Elevation Requests, Prompt For Credentials On The Secure Desktop, and Prompt For Credentials.

    Important

    If you deny elevation requests, elevation prompts will not be presented to users. This includes Remote Assistance users who might be trying to assist a user remotely.

  6. Double-tap or double-click User Account Control: Run All Administrators In Admin Approval Mode. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.

  7. Double-tap or double-click User Account Control: Switch To The Secure Desktop When Prompting For Elevation. Select Enabled to turn on this setting or Disabled to turn off this setting. Tap or click OK.

Other -----------------
- Microsoft Sharepoint 2013 : Understanding app patterns (part 5) - Building MVC apps - Introducing MVC4
- Microsoft Sharepoint 2013 : Understanding app patterns (part 4) - Building MVC apps - Understanding web form challenges
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 3) - Building MVVM apps - Utilizing promises
- Microsoft Sharepoint 2013 : Understanding app patterns (part 2) - Building MVVM apps - Introducing knockout
- Microsoft Sharepoint 2013 : Understanding app patterns (part 1) - Building MVVM apps - Understanding JavaScript challenges
- Microsoft Sharepoint 2013 : Working with documents - Checking documents in and out
- Microsoft Sharepoint 2013 : Working with documents - Requiring and displaying document check out
- Microsoft Sharepoint 2013 : Working with documents - Uploading multiple documents
- Microsoft Sharepoint 2013 : Working with documents - Customizing document templates
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server