Saturday, September 19, 2009

Windows 7 User Account Control

User Account Control or UAC for short was first introduced in windows vista. The purpose behind UAC was to block virus infections by enabling users to easily run as standard users instead of as administrators. When UAC is enabled on a Windows Vista computer, users are presented with an elevation prompt whenever they need to perform an administrative action such as configuring the operating system settings or installing software on the computer.

I personally thought UAC in Vista was fantastic, I no longer had to Run-As, it would just prompt me automatically for my administrator's password whenever I needed to install something such as a active X control. Previously i'd have to close my iexplorer.exe session, navigate to c:\program files\internet explorer\iexplorer.exe, right click on it, run as, install the active x control for the particular website, close my administrative iexplorer session, then return back to a restricted standard internet explorer session. What a pain! However many users complained and found UAC "annoying" primarily because they didn't understand what it was doing.

As a result from users feedback Microsoft modified UAC in windows 7 giving users more control when UAC prompts are displayed. In addition, fewer operating system tasks now require elevation. There is also more control of UAC via group policy for IT administrators. Below we are going to look at the changes to UAC for both home users and administrators.

Whats changed from a users perspective?

Well in Windows Vista UAC could only be enabled or disabled. Now in Windows 7 there is four levels of of control that can be configured under:

Control Panel --> System and Security --> Action Center --> Change User Account Control.



These four levels are:









What's Changed from an IT Professional's Perspective?

The policies for UAC can in group policy under:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options

Below is the list of all UAC policies that can be configured for windows 7. I have marked in red the policies that are new to windows 7:



Additionally there was one policy that was available in windows vista but has been removed for windows 7:

User Account Control: Switch to the secure desktop when prompting for elevation

No comments:

Post a Comment