Wednesday, July 6, 2016

Using Group Policy to configure UAC (User Account Control) on a Windows 7 desktop

One of the more common questions I get asked by clients and colleagues is how to use group policy to configure UAC settings for Windows clients that mirror the 4 level presets that is available from within a Windows 7 desktop.  While I don’t have the configuration for levels 1 and 2, I do have the settings for 3 and 4 so I thought I’d write this quick blog post for others and my self to reference.

Level 3 UAC

To configure a Windows 7 desktop with level 3 UAC settings as shown in the following screenshot:

clip_image002

Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:

Policy Setting
User Account Control: Admin Approval Mode for the built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Disabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

image

Level 4 UAC

To configure a Windows 7 desktop with level 4 UAC settings as shown in the following screenshot:

clip_image002[6]

Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:

Policy Setting
User Account Control: Admin Approval Mode for the built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows Binaries
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

image

Hope this helps anyone who may be looking for this information.

No comments: