none
UAC GPO - Does not prompt for ALL changes.

    Question

  • Hi all,

    I have a training room. The previous admin had a GPO in place with lots of settings to remove \ hide control panels, windows options and functions from the default training user account and PCs.

    This method makes it impossible to edit the default training user profile and PCs on the fly...like making a change to the default printer or adding a new one quickly...I have to removing the machines and user account from policy, make the change then moving them all back in... 

    This I find a real overkill...my idea is simply to turn UAC on and make it prompt for Admin creds for all changes to the system every time?

    I have set the GPO but it does not prompt every time?

    It prompts on the secure desktop once as expected then from there on out seems to 'cache' the initial creds and all other tasks that require elevation from there on out simply work without prompting on the secure desktop?

    These are my settings...any idea why it is not prompting every time for elevation creds?

    Thanks in advance...

    durrie

    Tuesday, June 28, 2016 7:08 AM

Answers

All replies

  • Hi,
    Please check the related registry of UAC polices to verify that the function is working well.
    You could refer to:
    UAC Group Policy Settings and Registry Key Settings
    http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
    How to configure Windows UAC prompt behavior for admins and users
    http://www.ghacks.net/2013/06/20/how-to-configure-windows-uac-prompt-behavior-for-admins-and-users/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by durrie Thursday, June 30, 2016 8:25 PM
    Thursday, June 30, 2016 2:35 AM
    Moderator
  • Thanks Wendy,

    I think a rework of the policy has fixed it however, I did find a very annoying little reg hack on the network being used by helpdesk admins to disable UAC while they install see proprietory in house software on the machines. 

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

    "ConsentPromptBehaviorAdmin"=dword:00000000

    "EnableLUA"=dword:00000000

    I have since reworked the GPO with the below settings after reading the Technet mentioned above in great detail...a few time over it must be said...

    All seems to be working as expected now...standard users ALWAYS get prompted when elevation is required and Admins are asked for consent as per below...



    • Edited by durrie Thursday, June 30, 2016 8:24 PM
    Thursday, June 30, 2016 8:21 PM