none
Force UAC on via Group Policy

    Question

  •            I have looked all around but have not really found a solution to this problem. How do I lock UAC on via Group Policy so that no one can change it except via Group Policy and all the settings are greyed out even for administrators? I just want it on the default settings and left alone. If I wanted to do something similar for Windows Firewall or Internet Explorer settings, it seems easy, but UAC seems to be different. Unfortunately I have situations at clients where this setup is necessary and unavoidable.
    Saturday, January 25, 2014 6:36 PM

Answers

  • Hi,

    This can be done via Local Group Policy or via Active Directory-based GPO, which is much more suited for large networks where one would like to disable UAC for many computers at once.

    If using Local Group Policy you'll need to open the Group Policy Editor (Start > Run > gpedit.msc) from your computer.

    If using in AD-based GPO, open Group Policy Management Console (Start > Run > gpmc.msc) from a Vista computer that is a member of the domain. In the GPMC window, browse to the required GPO that is linked to the OU or domain where the Vista computers are located, then edit it.

    1.In the Group Policy Editor window, browse to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    2.In the right pane scroll to find the User Access Control policies (they're down at the bottom of the window). You need to configure the following policies:

    User Account Control: Behavior of the elevation prompt for……

    User Account Control: Detect application installations and……

    User Account Control: Run all administrators in Admin App……

    3.You'll need to reboot your computers.

    There is a detial Microsoft official website on Configuring UAC via Group Policy

    UAC Group Policy Settings and Registry Key Settings

    http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

    Hope it helps.

    Regards,

    Blair Deng


    Blair Deng
    TechNet Community Support

    Wednesday, January 29, 2014 1:37 AM
    Moderator

All replies

  • Unless the user accounts are administrator account, every account is subjected to UAC for administrative operations once enabled by an administrator account.

    Balaji Kundalam

    Sunday, January 26, 2014 5:08 PM
  • Hi,

    This can be done via Local Group Policy or via Active Directory-based GPO, which is much more suited for large networks where one would like to disable UAC for many computers at once.

    If using Local Group Policy you'll need to open the Group Policy Editor (Start > Run > gpedit.msc) from your computer.

    If using in AD-based GPO, open Group Policy Management Console (Start > Run > gpmc.msc) from a Vista computer that is a member of the domain. In the GPMC window, browse to the required GPO that is linked to the OU or domain where the Vista computers are located, then edit it.

    1.In the Group Policy Editor window, browse to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    2.In the right pane scroll to find the User Access Control policies (they're down at the bottom of the window). You need to configure the following policies:

    User Account Control: Behavior of the elevation prompt for……

    User Account Control: Detect application installations and……

    User Account Control: Run all administrators in Admin App……

    3.You'll need to reboot your computers.

    There is a detial Microsoft official website on Configuring UAC via Group Policy

    UAC Group Policy Settings and Registry Key Settings

    http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

    Hope it helps.

    Regards,

    Blair Deng


    Blair Deng
    TechNet Community Support

    Wednesday, January 29, 2014 1:37 AM
    Moderator