• UAC is only enabled for administrators. Standard users needn’t necessarily be bothered by UAC prompts whatsoever. If you’re a standard user, you’re less likely anyway to truly understand what the prompt means. Notwithstanding as standard users, they’ve done a great job of training themselves to auto-click anything that appears on-screen. Thus, the understanding, processing, and decision-making based on UAC’s presence just isn’t likely to happen very well, especially when those users are non-technical in the first place.

• By default, non-administrators get prompted, but that can be changed. When a non-administrator attempts to accomplish a task that requires administrative access, UAC will by default present what is called an “over the shoulder” elevation prompt. This allows the user to ask an administrator to approve the action by entering in their username and password. This is a great way to quickly solving problems that need administrative access without requiring the aforementioned log-out-and-log-back-in procedure. But it can also be a point of confusion with users. They’re used to seeing “Access Denied”. Using Group Policy, as we’ll discuss in a minute, this behavior can be reverted to the old, and arguably more understood response.

• Elevation prompts can be eliminated altogether. Also using Group Policy, it is possible to automatically approve any elevation request. Doing this does not get rid of UAC. Rather, it configures UAC to dispense with the prompt. Any time a process or action requires elevation, that elevation will occur automatically and without prompting. Though this is better than shutting down UAC, it does eliminate some of its protections. Namely, when processes that shouldn’t have administrative access do, they’ll be automatically approved as well.

• You can always just run as a standard user. If you truly hate UAC, but you fear getting rid of it, you can always revert back to the old best practice. That being running your regular operations as a standard user and using elevation tools when you have the need. By doing this in combination with the Group Policy settings discussed above, you can eliminate nearly all of UAC’s prompting.

From the perspective of centralized management, there are nine Group Policy settings that can be used to configure the behavior of UAC within your domain. Each of these are available by opening the Group Policy Management Console (GPMC) from a Vista machine and navigating to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options. There, at the bottom of the list will be nine policy settings that all start with User Account Control. Let’s talk about each of them, the configuration of which can help calm UAC’s Attention Deficit Disorder and reduce the pain of managing your Vista workstations. For each, the setting in parenthesis is the default local setting for Vista:

• Admin approval mode for the built-in administrator account (Disabled). By default the Administrator account has UAC turned off. Though this can be an alternate option for annoyed technicians, remember that uniquely identifying the activities of even a network’s technicians is important for both security and compliance.

• Behavior of the elevation prompt for administrators in Admin Approval Mode (Prompt for consent). We talked about a way to quiet UAC. This setting can be configured to Elevate without prompting. This has the effect of automatically elevating when necessary and should be your first line of defense should you want to dial down UAC’s chattiness.

• Behavior of the elevation prompt for standard users (Prompt for credentials). We also discussed how to revert normal users so their attempts to accomplish a task resulted in the familiar “Access Denied” rather than an over-the-shoulder elevation. This can be done by configuring this setting to Automatically deny elevation requests.

• Detect application installations and prompt for elevation (Enabled). You’ll likely want to keep this setting as is. By keeping this at Enabled, a heuristic is applied to launched programs to see if they’re application installations. This prevents an installation from attempting to start without needed administrative credentials.

• Only elevate executables that are signed and validated (Disabled). Another setting you may want to leave alone. By setting this to enabled, you’ll only be allowed to elevate when executables have been signed using a certificate.

• Only elevate UIAccess applications that are installed in secure locations (Enabled). This setting validates that executables that require UIAccess privileges are launched from either the Program Files location or the Windows directory. These two locations are considered “secure” due to how Vista has changed their NTFS permissions model.

• Run all administrators in Admin Approval Mode (Enabled). This setting effectively disables UAC for all administrators. Use this as your last resort. Note that setting this will require a reboot.

• Switch to the secure desktop when prompting for elevation (Enabled). The grayed our screen that appears with the elevation prompt is called the “secure desktop”. This method of operation is limited to receiving messages only from Windows processes. If you use the elevation prompt, keeping the secure desktop ensures the highest level of protection from malware.

• Virtualize file and registry write failures to per-user locations (Enabled). Another part of UAC we haven’t discussed yet is the transparent movement of software files from locations considered “bad” by Vista to other locations considered acceptable. This is necessary to allow some poorly-coded software to continue to function with Vista. Disabling this removes that transparency and can prevent some software from functioning.

So the moral here is that UAC need not necessarily prevent you from moving to Vista. Though there are other published reasons that many are delaying the migration, UAC alone has the configuration capability to allow you to tailor it however you wish. If you want to disable it entirely and return to a pre-Vista mode of operations, that capability is similarly available. But between all-the-way-on and completely-off, you can see here that there are options that make it less cumbersome.

Read the full column in Windows Administration in Realtime!