Customizing User Account Control

Page 2 of 2 FirstFirst 12

  1. jav
    Posts : 713
    Windows 7 Ultimate x86 SP1
       New #11

    ahstanford said:

    I don't think this link shows anything about user-specific UAC settings.
    Though I would still like to disable UAC for my user account (administrator account) and leave it enabled on the standard user accounts (my mother and my girlfriend). It seems this can't be done, so I suppose I'm going to stick with my current settings.
    Does your mother or girlfriend have your password?
    If they don't have your password and they don't use any tasks/programs which need Administrator privileges, then they don't really benefit from UAC at all.
    In this case benefit from UAC is only for you.

    before anybody starts to say something about last statement, let me explain UAC basics..

    UAC (User Account Control) is just feature that controls user privilege tokens (what user can do).
    Situation when is UAC on:
    1. You log in with your Administrator account.
    While logging in UAC gives you 2 user tokens (one administrative and one standard user) and makes standard user privilege as main token.
    You see this (UAC) was one of the cleverest things Microsoft came up for Windows security.
    The problem with windows is that almost EVERYBODY runs it as administarator (any other OS takes away that privilege from user)
    Microsoft tried to encourage it's users to use Standard account, but there were only handful people who did. (and funny thing is that those people who haven't even considered Microsoft's advice, blamed the company for not doing anything for Windows security )

    So, Microsoft had to came up with something new and take away administrative privileges from average users. They created UAC.

    If you remember I said that when you logged in with administrator account UAC gave you standard user privilege token as your main.
    So basically, even if you are logged in with administrator account, you are using it as if you were standard user and have it's privileges.
    And according to privilege inheritation, any process inheritates privileges of parent process, so everything you open will run as standard user.

    But theoretically there will be problem when you try to do something which requires administrative privileges.
    There comes UAC again :) when you try to do something that requires Administrative privileges UAC will come up and after getting confirmation from you (the user who has admin privileges), gives Administrative privilege token to that process.
    So as you can see, from security point of view UAC was genius thing. It made administrator account into standard account and this way blocked lots of security flaws.

    But UAC isn't perfect and Microsoft still encourages and wants average users to run as standard users.
    But the probem is that many users don't want log off and log in to administrator account to do anything that requires administrative privileges.
    So they creates fast switch, but even then people were lazy to do this.
    2. So after this they implemented UAC into standard user aswell.
    It works the same way as it does in Administor account.

    But in this case it doesn't give you 2 tokens at the start as you don't have (you have only standard user privileges)
    So you will work as standard user and if you need something that requires administrative privileges, It asks from users who has it (administrators). After confirmation from administrator (after you writing admin password) it "borrows" this admin privileges from that user and does that specific task from the name of the administrator who was confirmed with password.
    So now, Standart user dosen't even need to log off to do administrative tasks...

    now, back to your topic.
    1. If you family members don't use anything that requires administrative privilegs, or even when they want they can't use it (as they don't your password or any other admin password).
    If this is your situation, as I already mentioned they don't benifit from UAC.
    Why? because UAC for standard user is just to give Standard user to give fast way to get ("borrow") administrative privileges.
    If you turn off UAC. They will be automatically denied from task that require admin privileges (task which will be asked by UAC if it was on)
    So, from this point of view you can turn off UAC.

    But then you (Administrator) will have administrator privileges token always!
    So, just read through how UAC works again, and decide if it's worth it...

    But if your family members know your password and do tasks which require admin privilegs then you can't turn off UAC. (if your turn offf it they will have to switch user/log off and log in with admin account to do those tasks.)
    Hope it will help you!

    EDIT:
    This is the right solution for your second problem
    Thorsen said:
    Once the shortcut with Admin rights is created, you can put it in the Startup folder under All Programs and it will run at startup....
      My Computer
    Quote Quote

  3. Tepid
    Posts : 1,403
    Win 7 Ultimate 32bit
       New #12

    Some things that I didn't mention, and/or forgot about.
    That and I didn't grasp that you had them setup as a standard user,, that was my fault and I apologize.

    If they are setup with an Admin account, and not a standard user account,,

    when you turn off UAC, you are effectively an admin, not a standard user.
    You are only a standard user when setup as a standard user.


    So, you could actually set them up with Standard User Accounts, not admin accounts and then turn off UAC
    They will still need Admin Rights to install or do many things that require admin rights.
    When running as a Standard User, with UAC Disabled, No prompt will be given, you will need to Right Click the App or shortcut and select Run As and provide Admin Credentials, to run or install that particular app.

    However, setup that way, with UAC enabled, you would have more control and be able to turn on Parental Controls, which provide a great deal of control over what can and can not be done on the system.

    Additionally, you could also take advantage of AppLocker

    AppLocker is a flexible, easily administered mechanism that enables IT professionals to specify exactly what is allowed to run on user desktops. It provides the flexibility to allow users to run the applications, installation programs, and scripts they need to be productive. Learn how you can realize the security, operational, and compliance benefits of application standardization by using AppLocker
    And see this http://thelazyadmin.com/blogs/thelaz...pp-locker.aspx

    Either way,, it is not advised to disable UAC, due to it being able to warn you when anything is requiring admin rights to do anything. This is still a hot debate with positives and negatives on both sides. I advise leaving it on though.
      My Computer
    Quote Quote

 
Page 2 of 2 FirstFirst 12

  Related Discussions
I notice that a lot of newcommers to this Forum seem to turn off UAC as that get annoyed with it keep asking for confirmation of an action. Do you run it and if so why?
How do i control a user account?
in General Discussion

Hi, I have many people using my computer and I want to stop them from being on my account. What I mean by this is,that I want to set up an account for everyone else to use with the following control: 1. I (as an administrator) get to control password creation, account pictures and all...
User Account Control
in System Security

Can I Disable User Account Control (UAC) for one Windows 7 application or program?
User Account Control
in System Security

GM all, Does anyone know how you add a publisher so you stop getting the User Account Control dialog popup's? Thanking you in advance, Cliff
I have installed Warhammer Online and it works fine but whenever I go to start it up I get this annoying window that says "Do you want the following program to make changes to this computer". How can I turn this so it doesn't do this everytime I start up Warhammer?
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 15:57.
Find Us