Disable UAC for all workstations RRS feed

  • Question

  • Hi guys,

    We are at the  2008r2 forest/domain level and have an old enterprise application that is VB6, writes to the root of the C drive, and is pretty horrific from a security standpoint.  That application will not work on Windows 7, unless we make all users administrators, which is not acceptable for all users(Some users are administrators).  We had a developer come and spend several months changing things and we can get the application to work on Win7, but we must completely disable UAC.  We cannot just block the notifications, etc.  Management has made an enterprise decision to disable UAC on all computers that run this software(all workstations) and that decision is not up for debate.

    I know it is normally a user setting, but I was going to use a computer GPO.  That way I only have to target workstations that have the application, and no servers, etc.  I can go either way, but if I target users, I have to target everyone.  Here are the options I was going to use

    Computer Config->Windows Settings->Security Settings->LocalPolicies/SecurityOptions->UserAccountControl->

    Behavior of the elevation prompt for Administrators in Admin Approval Mode - Elevate without prompting

    Detect application installations and prompt for elevation - Disabled

    Run all administrators in Admin Approval Mode - Disabled

    Do you guys think I should try this? or should I target all user accounts instead?  Are there any non-security issues you can think of that might pop-up because of this?  Like applications that were set to run in Admin mode.  Is it possible that those actually start having issues, etc(basically, can any applications break from having uac disabled?)



    Dan Heim

    Thursday, August 29, 2013 10:29 PM


All replies