Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / User Account Control Slider and Group Policy Settings

September 14, 2016 Group PoliciesWindows 10Windows 7Windows 8

User Account Control Slider and Group Policy Settings

In Windows Vista, Microsoft introduced a new mechanism, providing an additional level of protection against unauthorized modifications called UAC (User Account Control). In Windows 7 (or higher), UAC has got a setting slider (called from the Control Panel or UserAccountControlSettings.exe), which allows to select one of four UAC protection levels.

The following 4 protection levels of User Account Control are available to select using the slider:

  • Level 4 — Always notify — the highest UAC protection level
  • Level 3 — Notify only when programs try to make changes to mycomputer (default) – standard protection level
  • Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with the desktop lock
  • Level 1 — Never notify – UAC is disabled

UAC Slider in Windows

By default, UAC protection level 3 is used in Windows.

You can manage UAC settings both using the slider and GPO. But there is no single policy that allows to select one of the four protection levels (corresponding to the position of the UAC slider). It is suggested to manage UAC settings using 10 different policies instead. These policies are located in the following section of GPO editor:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. The names of the policies related to UAC start with User Account Control.

User Account Control Policy

The following table shows the list of UAC policies and the correspondent register keys. The parameters of the UAC settings are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System branch of the registry

Policy Name Registry Key Set with the Policy
User Account Control: Admin Approval Mode for the Built-in Administrator account FilterAdministratorToken
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop EnableUIADesktopToggle
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode ConsentPromptBehaviorAdmin
User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser
User Account Control: Detect application installations and prompt for elevation EnableInstallerDetection
User Account Control: Only elevate executables that are signed and validated ValidateAdminCodeSignatures
User Account Control: Only elevate UIAccess applications that are installed in secure locations EnableSecureUIAPaths
User Account Control: Run all administrators in Admin Approval Mode EnableLUA
User Account Control: Switch to the secure desktop when prompting for elevation PromptOnSecureDesktop
User Account Control: Virtualize file and registry write failures to per-user locations EnableVirtualization

UAC settings in registry

If you have to set UAC parameters using GPO, check the following correspondences between the GPO settings and four UAC levels given below:

UAC Level 1

Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Disabled
Switch to the secure desktop when prompting for elevation = Disabled
Virtualize file and registry write failures to per-user locations = Enabled

UAC Level 2

Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Disabled
Virtualize file and registry write failures to per-user locations = Enabled

UAC Level 3 (default)

Standard values for the registry keys correspondent to the policies are given in brackets.

Admin Approval Mode for the Built-in Administrator account = Disabled (the value of the registry key FilterAdministratorToken – 0)
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled (the value of the registry key EnableUIADesktopToggle – 0)
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries (the value of the registry key ConsentPromptBehaviorAdmin – 5)
Behavior of the elevation prompt for standard users = Prompt for credentials (the value of the registry key ConsentPromptBehaviorUser– 3)
Detect application installations and prompt for elevation = Enabled (the value of the registry key EnableInstallerDetection– 0 for domain computers, 1 – for work groups)
Only elevate executables that are signed and validated = Disabled (the value of the registry key ValidateAdminCodeSignatures– 0)
Only elevate UIAccess applications that are installed in secure locations = Enabled (the value of the registry key EnableSecureUIAPaths– 1)
Run all administrators in Admin Approval Mode = Enabled (the value of the registry key EnableLUA– 1)
Switch to the secure desktop when prompting for elevation = Enabled (the value of the registry key PromptOnSecureDesktop– 1)
Virtualize file and registry write failures to per-user locations = Enabled (the value of the registry key EnableVirtualization– 1)

UAC Level 4

Admin Approval Mode for the Built-in Administrator account = Disabled
Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled
Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent on the secure desktop
Behavior of the elevation prompt for standard users = Prompt for credentials
Detect application installations and prompt for elevation = Enabled
Only elevate executables that are signed and validated = Disabled
Only elevate UIAccess applications that are installed in secure locations = Enabled
Run all administrators in Admin Approval Mode = Enabled
Switch to the secure desktop when prompting for elevation = Enabled
Virtualize file and registry write failures to per-user locations = Enabled

If you want to allow users to further adjust the UAC settings, the default  settings on the domain computers can be specified using the GPP to set registry keys applied once (Apply once and do not reapply).

4 comments
0
Facebook Twitter Google + Pinterest
previous post
Remote Computer Management Using LiteManager
next post
Configuring Kerberos Authentication on IIS Website

Related Reading

The Disk is Offline Because of Policy Set...

December 12, 2019

How to Change a Network Location from Public...

December 9, 2019

Windows 10 Install Error 0x80300024

December 2, 2019

Creating Multiple Partitions on a USB Drive in...

November 26, 2019

How to Delete Old User Profiles Using GPO...

November 19, 2019

4 comments

No Spam April 6, 2017 - 5:35 pm

Methinks your values for the behavior on “standard users” is not accurate. Per this Microsoft link (https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx) the “default” value (level3) is “Prompt for consent on the secure desktop”.

Reply
No Spam April 6, 2017 - 5:44 pm

Sorry, default value is “Prompt for credentials on the secure desktop”

Reply
No Spam April 6, 2017 - 5:53 pm

You gotta love (hate) Microsoft documentation! In that same link/URL, they give conflicting information about the default value for “standard users”. In the first/top table, it says “User Account Control: Behavior of the elevation prompt for standard users ConsentPromptBehaviorUser Prompt for credentials on the secure desktop”. But in the last/bottom table, it says “ConsentPromptBehaviorUser User Account Control: Behavior of the elevation prompt for standard users 0 = Automatically deny elevation requests
1 = Prompt for credentials on the secure desktop
3 (Default) = Prompt for credentials”

SO WHICH IS IT MICROSOFT?!?

I apologize for questioning your page…

Reply
Rick November 29, 2018 - 12:12 pm

Using your level 1 settings does not corresponds to level 1 in Windows 10.
If I set these settings I can’t run Microsoft Edge and everythiing is run as administrator.
Simple way to check this is to rRight click start and run Powershell always runs it as admin even tho’ I don’t select the (admin) choice.

So how I make it behave like Windows 10 UAC level 1?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Follow us

woshub.com

Recent Posts

  • VMWare: How to Find VMs by IP or MAC Address?

    December 13, 2019
  • The Disk is Offline Because of Policy Set by an Administrator

    December 12, 2019
  • How to Backup Hyper-V Virtual Machines?

    December 10, 2019
  • How to Change a Network Location from Public to Private on Windows 10/Windows Server 2016?

    December 9, 2019
  • Configuring Storage Replica on Windows Server 2016

    December 4, 2019
  • Windows 10 Install Error 0x80300024

    December 2, 2019
  • Running PowerShell Script (*.PS1) as a Windows Service

    November 27, 2019
  • Creating Multiple Partitions on a USB Drive in Windows 10

    November 26, 2019
  • VMWare vSphere: Failed to Upload Files to Datastore

    November 21, 2019
  • How to Delete Old User Profiles Using GPO and PowerShell?

    November 19, 2019
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure a Slideshow Screensaver Using GPO
  • Display Last Logon Info on the Windows Welcome Screen
  • Using WMI Filter to Apply Group Policy to IP Subnet
  • Troubleshoot Slow GPO Processing and Login Speed Impact
  • Prevent Changing IE Proxy Settings Using GPO
  • How to Block Viruses and Ransomware Using Software Restriction Policies
  • How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top