I suppose, many working with Vista now are considering disabling User Account Control in Vista. There is at least one good reason to do so, but there also some reasons to give UAC a chance.
Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
When I first was confronted with these UAC prompts, I was quite disappointed how Microsoft solved this common problem. Windows sysops usually logon with an Administrator account, because without this you simply can't administrate a Windows machine. I already pointed out my view about UAC pop-ups before. Constant prompting is not the solution.
However, this "Secure Desktop Prompting" is only a part of UAC. Since you can disable UAC prompts easily, there is not enough reason to turn off UAC, altogether. UAC has other features which are more interesting and quite useful.
For example, it reduces the risk of so-called shatter attacks. Malware often makes use of the fact that applications are able to communicate with Windows and with each other. UAC compliant software helps to isolate privileges of processes, thereby reducing the risk to compromise other parts of the system. At the moment, there are not many UAC compliant applications available. But this will certainly change soon.
In theory, UAC can also manage legacy applications by virtualizing the registry and parts of the the file system for them. Thus, some applications needing Administrator privileges on a XP machine might work with standard user rights under Vista. However, this usually doesn't work with administration tools since they simply need real Administrator rights by nature.
Another interesting feature of UAC is that standard users can start applications with Administrator privileges more easily than under Windows XP. Sometimes, it can be useful to allow computer savvy users to install software themselves. On a XP machine, you could add the user's account to the local Administrator group until she is finished the installation.
In Vista, a user can just enter the credentials of an account having enough privileges to fulfill the task. You could create a domain account with local Administrator rights. Every time a user needs admin privileges on his machine, you enable this account with a little script. So it costs you only a mouse click to give this user enough rights. It is just one example where this UAC feature can be useful.
At the moment, I know of only one reason, why you might have to disable UAC altogether. If you have many legacy applications which are incompatible with UAC, you simply have no other choice. Many Windows programs need admin privileges, and UAC probably will fail to detect this correctly in many cases. Please check out the Related section at the end of this post for more information.
There are several ways to disable UAC. The most common way is thru the User Account tool in the Control Panel. You've to reboot afterward. Unfortunately, it is not that easy to disable UAC with Group Policy. By default you can only configure some of its settings there. However, it is possible to disable UAC with a registry setting:
You've to set EnableLUA to 0. So, you could create an ADMX file and disable UAC this way for multiple computers.