none
Difference Between UAC and Admin Approval mode RRS feed

  • Dotaz

  • What is the function of Admin approval mode (AAM) and UAC? Is there a link between UAC and AAM? Are they interrelated?

    When we turn OFF the AAM, UAC also gets OFF Automatically. Is this an intended behavior?

    čtvrtek 28. dubna 2011 12:57

Odpovědi

  • It's actually written in the explain tab of the policies. But in short, yes it's by design that UAC will get turned off if you disable Admin Approval Mode.

     

    ===========

    User Account Control: Turn on Admin Approval Mode

    This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.

    The options are:

    • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

    • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.

    ============

    User Account Control: Use Admin Approval Mode for the built-in Administrator account

    This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.

    The options are:

    • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.

    • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.

    ============

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    This policy setting controls the behavior of the elevation prompt for administrators.

    The options are:

    • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.

    • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.

    • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

    • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

    • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

    • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

     

    Kind regards,

    Stephan Schwarz

     

     


    If you one of these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be so kind to click on the "Vote as helpful" button :)
    pátek 29. dubna 2011 12:24

Všechny reakce

  • It's actually written in the explain tab of the policies. But in short, yes it's by design that UAC will get turned off if you disable Admin Approval Mode.

     

    ===========

    User Account Control: Turn on Admin Approval Mode

    This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.

    The options are:

    • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

    • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.

    ============

    User Account Control: Use Admin Approval Mode for the built-in Administrator account

    This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.

    The options are:

    • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.

    • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.

    ============

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    This policy setting controls the behavior of the elevation prompt for administrators.

    The options are:

    • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.

    • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.

    • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

    • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

    • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

    • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

     

    Kind regards,

    Stephan Schwarz

     

     


    If you one of these posts answered your question or issue, please click on "Mark as answer". If a post contained helpfull information, please be so kind to click on the "Vote as helpful" button :)
    pátek 29. dubna 2011 12:24
  • This is from the Technet site (http://technet.microsoft.com/en-us/library/cc772207%28WS.10%29.aspx)
    As for the second part, turning off AAM, I'm not sure.

    What does User Account Control do?

    UAC allows an administrator to enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, log off, or use the Run as command.

    UAC also can also require administrators to specifically approve applications that will make "system-wide" changes before those applications are allowed to run, even in the administrator's user session.

    Who will be interested in this feature?

    Understanding the operation of UAC is important for the following groups:

    • Administrators

    • IT security professionals

    • Developers creating applications for Windows Server 2008 or Windows Vista

    Are there any special considerations?

    At first, users might encounter a larger number of UAC prompts because there are a lot of system-wide changes to make when first configuring the operating system. Over time, however, those kinds of changes become much less frequent.

    While UAC appears in both Windows Server 2008 and Windows Vista, the default configurations differ in the following ways:

    • The Admin Approval Mode (AAM), by default, is not enabled for the Built-in Administrator Account in either Windows Server 2008 or Windows Vista.

    • The Built-in Administrator account is disabled by default in Windows Vista, and the first user account created is placed in the local Administrators group, and AAM is enabled for that account.

    • The Built-in Administrator account is enabled by default in Windows Server 2008. AAM is disabled for this account.

    What new functionality does this feature provide?

    UAC includes several features and security improvements.

    Admin Approval Mode

    Admin Approval Mode (AAM) is a UAC configuration in which a split user access token is created for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. Without AAM, an administrator account receives only one access token, which grants that administrator access to all Windows resources.

    Why is this functionality important?

    AAM helps prevent malicious programs from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.

    What works differently?

    The primary difference between a standard user (a non-administrator) and an administrator in Windows Server 2008 is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software programs for the entire computer. Standard users cannot perform these tasks.

    When AAM is enabled, an administrator receives both a full access token and a second access token, called the filtered access token. During the logon process, authorization and access control components that identify an administrator are removed or disabled, to create the filtered access token. The filtered access token is then used to start Explorer.exe, the process that creates and owns the user's desktop. Because applications normally inherit their access token from the process that starts them, which in this case is Explorer.exe, they all run with the filtered access token as well

     



    Don't believe everything you read.
    středa 20. července 2011 20:06
  • once again too much information! If I open User Accounts in the Windows Control Panel there is a link called "Change User Account Control settings". If I click on it there is a slider bar with four positions; by default the slider is set to the third position from the bottom of the bar - "Notify me only when apps try to make changes to my computer (default)". For security reasons it is typically best to leave this slider alone, but if I do I am prompted for authorization every time I try to install an application and when I try to perform some other functions. If the user account that I am using is not the default administrator account but has administrator privileges I am still blocked from performing some tasks. I am working on one now where I am not prompted for an administrator login, I'm just told that I don't have the required authorization and the task that I am performing fails. Since this is a unique work environment it is easier and more expedient to simply turn UAC off  by sliding the slider to the very bottom of the bar - "Never notify me when: ...". Again yes I know this is not recommended but I am in a unique environment with an abundance of other safety measures in place. To put it bluntly, it's the way I want it and I would prefer it if you would let me worry about it! Now; I have a few hundred machines that I want to do this to and it would be easier if I could use Active Directory Group Policy (ADGP) to do it. So; the simple question that I have, and I may be mistaken but I suspect it is the question that is being asked here, is - If I open ADGP, activate "User Account Control: Run all administrators in Admin Approval Mode " and set it to disabled will that have the same effect as "moving the slider in UAC all the way to the bottom of the bar"? If I could just get a straight forward un-complicated answer once in a while I might not have to make my comments so freeking long! 

    tweaton

    úterý 10. května 2016 22:14
  • once again too much information! If I could just get a straight forward un-complicated answer once in a while I might not have to make my comments so freeking long! 

    tweaton

    This is a TechNet hosted social forum, not a helpdesk. You're not likely to get much assistance with that message tone.
    pondělí 23. května 2016 18:16
  • If I could just get a straight forward un-complicated answer once in a while
        Would a maybe work???
    neděle 19. června 2016 18:36
  • Excellent information and ability to relay key information in an easily consumable fashion!
    středa 25. ledna 2017 8:06