none
GPO to disable UAC for STANDARD users??

    Question

  • We have a need to disable UAC for standard (non-local admin) users periodically - mainly because we have users that are remote for long periods of time and might need to be able install something and don't have local admin privileges.  I've created a GPO and applied it via "Delegation" settings in Group Policy Management to a specific security group so that we can move users in and out of the group as needed - when they're gone for a while they'd be added to the group and be able to bypass UAC, when they're done we would remove them from said group.  

    However after just doing some quick testing, it doesn't appear to be working as I was unable to uninstall an application w/o admin privileges.

    Here is what I set in the GPO I created:

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode:  Elevate without prompting

    User Account Control: Detect application installations and prompt for elevation:  Disabled

    User Account Control: Run all administrators in Admin Approval Mode:  Disabled

    Also, when I added the security group to the GPO via Delegation, I gave the security group "Read" and "Apply group policy" permissions, is this sufficient?

    What else do I need to do to prevent standard users from needing to provide admin credentials??



    • Edited by zfrawg Thursday, February 09, 2017 2:34 AM
    Thursday, February 09, 2017 2:30 AM

Answers

  • Hi,
     
    Am 09.02.2017 um 03:30 schrieb zfrawg:
    > We have a need to disable UAC for standard (non-local admin) users
    > periodically - mainly because we have users that are remote for long
    > periods of time and might need to be able install something and don't
    > have local admin privileges. 
     
    Disabling UAC has exactly zero efect on the permission or missing rights
    you need to have to install software.
     
    Software installation is an admin task, because you can not control
    where the software wants to write its settings or files.
    Sometimes it´s only extracting a zip, sometimes it´s installing a
    service aswell etc.
     
    UAC does only limit the "automatic start" of the installation, but not
    the installation itself.
     
    If you want to have users, that are able to install ANY kind of
    software, you need to make them admins.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Privacy and Telemetry on Windows 10 - gp-pack PaT
     
    • Marked as answer by zfrawg Sunday, February 12, 2017 1:51 AM
    Thursday, February 09, 2017 7:18 AM

All replies

  • Hi,
     
    Am 09.02.2017 um 03:30 schrieb zfrawg:
    > We have a need to disable UAC for standard (non-local admin) users
    > periodically - mainly because we have users that are remote for long
    > periods of time and might need to be able install something and don't
    > have local admin privileges. 
     
    Disabling UAC has exactly zero efect on the permission or missing rights
    you need to have to install software.
     
    Software installation is an admin task, because you can not control
    where the software wants to write its settings or files.
    Sometimes it´s only extracting a zip, sometimes it´s installing a
    service aswell etc.
     
    UAC does only limit the "automatic start" of the installation, but not
    the installation itself.
     
    If you want to have users, that are able to install ANY kind of
    software, you need to make them admins.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Privacy and Telemetry on Windows 10 - gp-pack PaT
     
    • Marked as answer by zfrawg Sunday, February 12, 2017 1:51 AM
    Thursday, February 09, 2017 7:18 AM
  • Hi,
    It seems that the settings are fine, but as the settings are under computer configuration, it will only apply to computers, if you want to apply a computer GPO to users, I would suggest you take a look at Group Policy loopback mode, Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs.
    You could see more details from:
    Circle Back to Loopback
    https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
    Windows Server: Understand “User Group Policy Loopback Processing Mode”
    https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 09, 2017 7:18 AM
    Moderator
  • > if you want to apply a computer GPO to users, I would suggest you take a look at Group Policy loopback mode
     
    No, loopback is to apply user settings to computers, not vice versa.
     
    Shortly spoken: There is NO way to apply computer settings based on user group memberships. At the time computer settings are applied, there simply is no user logged on -> no user groups -> no user group specific things.
     
    Thursday, February 09, 2017 10:38 AM
  • Ok, this is what I needed to know.  
    Sunday, February 12, 2017 1:51 AM