none
Disabling UAC via registry for specific security group RRS feed

  • Question

  • Hi, i need to disable UAC via registry for all of the members of a specific security group.

    now i know what key i need to change for that in the registry, but what i can't seem to understand is where to place the policy i've created.

    the only way that i got it to work is when i choose specific name of computers under the scope option. (which makes sense since the policy is under the "computer configuration" in the policy). but what do i do if i want to apply it according to security group and not according to computer name?

    it doesn't seem to be working when i specify the security group under the scope. (and when i run gpresult i even see the the policy was not applied)

    any ideas?

    Thank you

    Wednesday, April 4, 2012 9:15 AM

Answers

  •  
    > the members of the security group are users - not computers..  that's
    > the problem..
    >
     
    Why is that a problem? Put the computers in and they will apply the
    policy ;-)
     
    What you can NOT achieve (although I believe you'd like to do so) is to
    enable UAC for some users and disable it for other users - UAC is a
    computer setting.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Gil Kremer Wednesday, April 4, 2012 1:57 PM
    Wednesday, April 4, 2012 1:06 PM
  • Hi Gil,

    I'll answer the question for Martin :

    - you should create a group named RD Computers and you should add all the computers from R&D department in it. You create a GPO named Disable UAC and set the sttings as you want. You have now two options :

    A - if in your AD the Computer objects of R&D department are all over the places in different OUs or in the default Computers container, you link the newly created GPO at Domain level and in the Security Filtering you remove the Authenticated Users and add the new Groupe created instead

    B - if you have an OU for your domain Computers (not the default Computers container) you link the GPO to this OU and then use the same security filtering as in A.

    Jobe done, deal si closed.


    " Never panic before reboot ! "

    • Marked as answer by Gil Kremer Wednesday, April 4, 2012 1:56 PM
    • Edited by Voldar Wednesday, April 4, 2012 1:56 PM
    Wednesday, April 4, 2012 1:46 PM

All replies

  •  
    > Hi, i need to disable UAC via registry for all of the members of
    > a specific security group.
    >
     
    If you place a security group in the security filtering - who is a
    member of this group? The respective computers at least should be members...
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, April 4, 2012 12:09 PM
  • the members of the security group are users - not computers..  that's the problem..

    Wednesday, April 4, 2012 12:22 PM
  •  
    > the members of the security group are users - not computers..  that's
    > the problem..
    >
     
    Why is that a problem? Put the computers in and they will apply the
    policy ;-)
     
    What you can NOT achieve (although I believe you'd like to do so) is to
    enable UAC for some users and disable it for other users - UAC is a
    computer setting.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Gil Kremer Wednesday, April 4, 2012 1:57 PM
    Wednesday, April 4, 2012 1:06 PM
  • Hi Martin, thank you for your replies. bare with me just a little bit longer... :)

    I am not trying to achive a situation in which some users's UAC is disabled and some isn't on the same compter.
    in our company each user logs in to his own compter and doesn't change computers.

    it's very simple, like many organizations, we have departnents. say for example R&D. and all of the users in the R&D department are members of a security group called "R&D sec Group". now, what i need is for all of the R&D users - the UAC will be disabled. but only the R&D's.

    how do i achive that?

    Wednesday, April 4, 2012 1:37 PM
  • Hi Gil,

    I'll answer the question for Martin :

    - you should create a group named RD Computers and you should add all the computers from R&D department in it. You create a GPO named Disable UAC and set the sttings as you want. You have now two options :

    A - if in your AD the Computer objects of R&D department are all over the places in different OUs or in the default Computers container, you link the newly created GPO at Domain level and in the Security Filtering you remove the Authenticated Users and add the new Groupe created instead

    B - if you have an OU for your domain Computers (not the default Computers container) you link the GPO to this OU and then use the same security filtering as in A.

    Jobe done, deal si closed.


    " Never panic before reboot ! "

    • Marked as answer by Gil Kremer Wednesday, April 4, 2012 1:56 PM
    • Edited by Voldar Wednesday, April 4, 2012 1:56 PM
    Wednesday, April 4, 2012 1:46 PM
  • Thank you Voldar and Martin. it's clear now: "computer configuration" policies cannot be applied on users but only on computers. right?

    well i guess i have some work to do now.. :)

    Wednesday, April 4, 2012 1:59 PM
  • Thank you Voldar and Martin. it's clear now: "computer configuration" policies cannot be applied on users but only on computers. right?

    well i guess i have some work to do now.. :)

    Right ! GPO has two "targets" :  User configuration level and Computer configuration level.

    BUT, there is an exception : you may think that the password policy is at User configuration level, but NO, it is at the Computer configuration level.


    " Never panic before reboot ! "

    Wednesday, April 4, 2012 2:06 PM
  • Hi Voldar
     
    > I'll answer the question for Martin :
    >
     
    ((-:
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, April 5, 2012 7:33 AM