In Windows Vista, Microsoft introduced a new mechanism, providing an additional level of protection against unauthorized modifications called UAC (User Account Control). In Windows 7 (or higher), UAC has got a setting slider (called from the Control Panel or UserAccountControlSettings.exe), which allows to select one of four UAC protection levels.
The following 4 protection levels of User Account Control are available to select using the slider:
- Level 4 — Always notify — the highest UAC protection level
- Level 3 — Notify only when programs try to make changes to mycomputer (default) – standard protection level
- Level 2 — Notify only when programs try to make changes to my computer (do not dim my desktop) – almost the same as the previous level, but without switching to Secure Desktop with the desktop lock
- Level 1 — Never notify – UAC is disabled
By default, UAC protection level 3 is used in Windows.
You can manage UAC settings both using the slider and GPO. But there is no single policy that allows to select one of the four protection levels (corresponding to the position of the UAC slider). It is suggested to manage UAC settings using 10 different policies instead. These policies are located in the following section of GPO editor:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. The names of the policies related to UAC start with User Account Control.
The following table shows the list of UAC policies and the correspondent register keys. The parameters of the UAC settings are stored in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System branch of the registry
|Policy Name||Registry Key Set with the Policy|
|User Account Control: Admin Approval Mode for the Built-in Administrator account||FilterAdministratorToken|
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop||EnableUIADesktopToggle|
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode||ConsentPromptBehaviorAdmin|
|User Account Control: Behavior of the elevation prompt for standard users||ConsentPromptBehaviorUser|
|User Account Control: Detect application installations and prompt for elevation||EnableInstallerDetection|
|User Account Control: Only elevate executables that are signed and validated||ValidateAdminCodeSignatures|
|User Account Control: Only elevate UIAccess applications that are installed in secure locations||EnableSecureUIAPaths|
|User Account Control: Run all administrators in Admin Approval Mode||EnableLUA|
|User Account Control: Switch to the secure desktop when prompting for elevation||PromptOnSecureDesktop|
|User Account Control: Virtualize file and registry write failures to per-user locations||EnableVirtualization|
If you have to set UAC parameters using GPO, check the following correspondences between the GPO settings and four UAC levels given below:
UAC Level 1
UAC Level 2
UAC Level 3 (default)
Standard values for the registry keys correspondent to the policies are given in brackets.
UAC Level 4
If you want to allow users to further adjust the UAC settings, the default settings on the domain computers can be specified using the GPP to set registry keys applied once (Apply once and do not reapply).