Small Business Susan

I guarantee I won’t hurt you if you do this setting versus shutting off UAC completely

I’m putting folks on notice… while I won’t be too pleased that you do this… but I’d rather folks do an alternative setting in group policy controlling the User Account Control prompt than the alternative of shutting it off completely.


Okay step one you need to go buy this book:  And then as you read this you’ll begin to understand why it’s important that we understand in Vista that when people say “but I’m running as Administrator” they really are not THE ADMINISTRATOR.  They are not the BUILT IN ADMINISTRATOR and thusly things will be different.  And while it’s nicer if you are running as a standard user, even if you are running as an administrator (small caps), you are not THE ADMINISTRATOR like you were in XP era.


So if you are a geek and those UAC prompts are driving you nuts first I’m going to ask exactly what are you doing that makes you get them… like are you fiddling with network connections all the time or what?  and secondly I will say that I’m sorry they don’t drive me nuts they REMIND me of when I’m up in the “nosebleed” rights area and I should be careful.  But IF and ONLY IF you want to be less annoyed, read page 150 of that book and set up a separate Organizational Unit/Group policy and put the geeks of the office that will annoy you in their complaining with Vista the first month or so into a special bucket so they won’t see that secure desktop prompt.


What you need to do is build an OU and change the group policy setting to do this:


http://www.microsoft.com/technet/windowsvista/security/security_group_policy_settings.mspx#_User_Account_Control


Under this section:


Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options


 User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode


Now keep in mind you won’t see that up on your SBS box and you’ll need to connect to the group policy from your Vista machine (I’ll do screen shots later).  The default is to prompt for credentials… you can set it to “Elevate without prompting” and the elevation to the admin will be silent.  Now this is a bad thing because a malware could be designed to hop on that elevation and get up to admin rights… but (and this is a huge but) it’s WAY better than shutting off UAC completely.  Setting this setting leaves IE 7 in protected mode which is an EXTREMELY good thing while turning UAC off completely will turn off IE protected mode as well.


You might even consider setting this setting for a month or two after vista machines are first installed so that your users will be able to install and do the things they think they want to do and then a month or so later, take it back to the defaults where it will prompt you.


I’ll bet you that after this first install period of time you won’t see those prompts nearly like you did before.


But I guarantee you I’ll be less apt to beat you over the head with my 2×4 if you change this setting  to silently elevate and not use the secure darkened desktop (which is really a screen shot of what you were working on setting up the elevated session) than if you turn off UAC completely.


Give it a try…. and then turn that prompting back on after a while.  I’ll betcha you won’t see it much at all after the machine is set up.



1 comment so far ↓

  • #   JamesB on 08.01.07 at 9:10 pm     

    And I’ll say it one more time. All you have to do is be a tech in the field using your laptop on multiple networks in a given day and UAC will drive you insane!

    If your not seeing UAC prompts then your a basic desktop user sitting in an office playing FreeCell and using Excel to track your company sales.