none
I am looking for a GPO to enable UAC and set it to Level 3

    Question

  •    I have found several articles stating you can but not one has actually worked. Is there a GPO to enable UAC and set it to Level 3? 
    Sunday, July 24, 2016 4:43 PM

Answers

All replies

  • Hi

    The UAC settings are under Computer Config / Windows  Security Settings / Local Policies / Security Options.

    However these are Computer not User settings so ensure that you've got the computer accounts in the OU that you have the GPO linked to. Having the users in the OU won't have any effect (unless you use loopback processing)

    Regards

    Peter

    www.virtual-ninja.com

    

    Sunday, July 24, 2016 10:07 PM
  •    That Peter but that is not the issue. Have you tried it and gotten it to work? That seems to be the issue. Everyone says it is no problem and everyone points to where the settings are but no one has tried it and gotten it to work. 
    Sunday, July 24, 2016 11:07 PM
  • Hi,

    I have tested for this. To set the UAC to level 3, you should configure those setting like below in GPO.

    LEVEL 3

    Default - Notify me only when programs try to make changes to my computer.

    Don't notify me when I make changes to Windows Settings

    ***

    Admin Approval Mode for the Built-in Administrator account = Disabled

    Allow UIAccess applications to prompt for elevation without using the secure desktop = Disabled

    Behavior of the elevation prompt for administrators in Admin Approval Mode = Prompt for consent for non-Windows binaries

    Behavior of the elevation prompt for standard users = Prompt for credentials

    Detect application installations and prompt for elevation = Enabled

    Only elevate executables that are signed and validated = Disabled

    Only elevate UIAccess applications that are installed in secure locations = Enabled

    Run all administrators in Admin Approval Mode = Enabled

    Switch to the secure desktop when prompting for elevation = Enabled

    Virtualize file and registry write failures to per-user locations = Enabled

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 25, 2016 5:58 AM
    Moderator
  • Am 24.07.2016 um 18:43 schrieb Ziggy32:
    >    I have found several articles stating you can but not one has
    > actually worked. Is there a GPO to enable UAC and set it to Level 3?
     
    There are only 3 settings that control/display the level.
     
    Level 1
    ConsentPromptBehaviorAdmin 0 ; PromptOnSecureDesktop 0 ; EnableLUA 0
    Level 2
    ConsentPromptBehaviorAdmin 5 ; PromptOnSecureDesktop 0 ; EnableLUA 1
    Level 3
    ConsentPromptBehaviorAdmin 5 ; PromptOnSecureDesktop 1 ; EnableLUA 1
    Level 4
    ConsentPromptBehaviorAdmin 2 ; PromptOnSecureDesktop 1 ; EnableLUA 1
     
    Complete List, see:
     Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, July 25, 2016 7:38 AM
  •    This doesn't work. All the articles you find say the same thing but it does work. Has anyone actually tried it?

    I set the above and still have full access to the slide. Nothing changes. I am a local admin. 

    Monday, July 25, 2016 10:22 AM
  • Am 25.07.2016 um 12:22 schrieb Ziggy32:
    > I am a local admin.
     
    UAC Settings in GPO do not grey out the settings in UI. The GPO (CSE
    Security) re-applies every 16 hours. If a local admin manipulates it.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, July 25, 2016 11:07 AM
  •    Thanks Mark. For some reason none of the articles point those two facts out. Huge emissions. I slid mine back to Never Notify. I'll see what happens in 16 hours.
    Monday, July 25, 2016 11:17 AM
  • Hi,

    Have you tried my suggestion?

    I have tested in my environment.

    And here is a similar thread below for your reference.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1de0e123-84a0-4ef5-91bd-c3318cf25136/gpo-uac-level-3-default-and-prompt-for-credentials?forum=winserverGP

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 27, 2016 1:22 AM
    Moderator