none
Disable UAC for users

    Question

  • I am new to GPO but I have been asked to disable the setting for all users in the Domain. I think it is a computer setting only but can this be done ?

    Thanks

    Monday, January 25, 2016 12:04 PM

Answers

  • Hi

    There are a bunch of settings in GPO for this. (below)

    BUT none of them DISABLE the UAC.

    the whole security model is based on the removal of admin rights from standard users and adding in a level of security for admin users.

    What do you need to disable UAC for?

    The settings are flexible enough now to be non intrusive.

    I hope that helps.

    Monday, January 25, 2016 1:08 PM
  • > BUT none of them DISABLE the UAC.
     
    Sure? :-) Please check the explanation of "Run all administrators in
    Admin Approval Mode"...
     
    > the whole security model is based on the removal of admin rights from
    > standard users and adding in a level of security for admin users.
     
    UAC is NOT a security feature, it is a convenience feature only. The
    default UAC prompt can easily be faked...
     
    Monday, January 25, 2016 2:29 PM

All replies

  • Hi

    There are a bunch of settings in GPO for this. (below)

    BUT none of them DISABLE the UAC.

    the whole security model is based on the removal of admin rights from standard users and adding in a level of security for admin users.

    What do you need to disable UAC for?

    The settings are flexible enough now to be non intrusive.

    I hope that helps.

    Monday, January 25, 2016 1:08 PM
  • I have been asked to disable the setting [UAC] for all users in the Domain.

    My first answer would be:  Don't.

    Yes, it is possible to configure a machine so that you can do absolutely anything on it without ever seeing a UAC prompt, but in most cases this is not a good idea.  UAC is a vital security mechanism, which I'd always recommend against bypassing.

    There are a few edge cases where it is the correct course of action, which is why Microsoft give you the flexibility, but there's normally a better way.

    If you can post what you're trying to achieve, or what problem you're trying to solve, you may get a better (and more secure) solution.  If it's just an edict from management (i.e. "Turn this Damn thing off"), I'd challenge why they've asked you to do it and highlight the security risk (maybe get this in writing, to protect yourself in case you get overruled, and it causes problems further down the line).

    Monday, January 25, 2016 1:42 PM
  • > BUT none of them DISABLE the UAC.
     
    Sure? :-) Please check the explanation of "Run all administrators in
    Admin Approval Mode"...
     
    > the whole security model is based on the removal of admin rights from
    > standard users and adding in a level of security for admin users.
     
    UAC is NOT a security feature, it is a convenience feature only. The
    default UAC prompt can easily be faked...
     
    Monday, January 25, 2016 2:29 PM