Disable UAC for all admins (not just for the SID -500 Administrator)but enable it for Standard Users

[Thorsten Butz]

I want to achieve, that administrative accounts are completely free,
they shall not be restricted by UAC.
I can do that for the Root-Administrator-Account, the one with the -500
SID. But I want to free "john doe", if he is Domain Administrator.

"Elevate without prompting" is not adequate, because programs that do
not force an elevation of rights ("asInvoker") would run with the
stripped down token.

So, why can't I do that? Or: how? Any ideas?

Thanks Thorsten

 

[Ken Zhao [MSFT]]

Hello Thorsten,

Thank you for using newsgroup!

As far as I know, by default the built-in Administrator account is not
being controlled by UAC. However, we can modify the following local
security policy to enable UAC for built-in Administrator account:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Access Control: Admin Approval Mode for the
Built-in Administrator account

We cannot enable/disable UAC for any other particular user accounts. It is
by design behavior in Windows Vista.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Thorsten Butz]

Hello Ken!

17.10.2007 05:51, Ken Zhao [MSFT]s Mail:

As far as I know, by default the built-in Administrator account is not
being controlled by UAC. However, we can modify the following local
security policy to enable UAC for built-in Administrator account:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\User Access Control: Admin Approval Mode for the
Built-in Administrator account

You are partially right: the built-in Admin account ist not controlled
by UAC (by default).

Configuring the gpo-setting above is equal to disabling the UAC
completely. The setting's caption is unclear/mistakeble: you do not
disable the UAC for admins, you do disable the UAC at all, Standard
users are no longer controlled by UAC, too.

Thorsten

 

[Thorsten Butz]

Sorry, i made a mistake reading your reply:
I thought of this setting (but you didnt mention this one):

"User Account Control: Run all administrators in Admin Approval Mode"

This is the setting that I focussed on. I can not understand, why this
"design" was chosen. I want to enable UAC for standard users, and
disabled it for any administrative account, not just the built-in.

Thorsten

17.10.2007 05:51, Ken Zhao [MSFT]s Mail:

 

[Ken Zhao [MSFT]]

Hi Thorsten,

Thanks for your reply and this is by design behavior in Windows Vista. I do
understand your concerns. From my point of view, I understand your feeling
and how frustrated when you find that our product cannot meet your needs.
So, it is my pleasure to help you to reflect your recommendation to the
proper department for their consideration.

In addition, please feel free to submit your suggestion on our product to
the following link. Our Product Group reviews the suggestions submitted by
our customers. Your feedback is valuable for us to improve our products and
increase the level of service provided.

https://support.microsoft.com/common/survey.aspx?scid=sw;en;1208&showpage=1&
ws=search

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.