Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Client TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Vista
Deployment
 User Account Control Step-by-Step G...
User Account Control Step-by-Step Guide

Updated: December 15, 2008

Applies To: Windows Server 2008,Windows Vista

This step-by-step guide provides the instructions necessary to use User Account Control (UAC) in a test environment.

This document is not intended to provide a comprehensive, detailed description of UAC. Additional resources include the following:

  • All users of this step-by-step guide will also be interested in Getting Started with User Account Control on Windows Vista (http://go.microsoft.com/fwlink/?LinkID=102562).

  • For additional information for IT professionals, see Understanding and Configuring User Account Control in Windows Vista (http://go.microsoft.com/fwlink/?LinkId=56402).

  • For information for developers and independent software vendors about how to develop applications for Windows Vista® or Windows Server® 2008, see The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC) (http://go.microsoft.com/fwlink/?LinkId=89654).

What is User Account Control?

User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

noteNote
UAC is also a component of Windows Server 2008.

When an administrator logs on to a computer running Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows® to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.

The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks and can only install per-user software.

To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.

Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.

ImportantImportant
Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment will affect the prompts and dialog boxes seen by standard users, administrators, or both.

Who should use this guide?

This guide is intended for the following audiences:

  • IT planners and analysts who are evaluating the product

  • Security architects who are responsible for implementing trustworthy computing

  • Administrators who need to control the behavior of UAC

Why use this guide?

The groups listed above should use this guide to test how their line-of-business (LOB) applications run in Windows Vista. Because UAC makes a clear distinction between administrator and standard user processes, some existing LOB applications might need to be either redesigned by the independent software vendor (ISV) or internal tools team, or marked to always run elevated.

In this guide

Requirements for User Account Control

We recommend that you first use the steps provided in this guide in a test environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Vista features without accompanying documentation (as listed in the Additional resources section), and should be used with discretion as a stand-alone document.

Setting up the test lab

The lab configuration needed for testing UAC includes a domain controller running Windows Server 2008 (or Windows Server® 2003) a member server running Windows Server 2008 (or Windows Server 2003), and a client computer running Windows Vista. The domain controller, member server, and the client computer should be on an isolated network and should be connected through a common hub or Layer 2 switch. Private addresses should be used throughout the test configuration.

Key scenarios for User Account Control

This guide covers the following scenarios for UAC:

noteNote
The three scenarios included in this guide are intended to help administrators become familiar with the UAC feature of Windows Vista. They include the basic information and procedures administrators need to start using UAC. Information and procedures for advanced or customized UAC configurations are not included in this guide.

Scenario 1: Request an application to run elevated one time

In Windows Vista, UAC and its Admin Approval Mode are enabled by default. When UAC is enabled, local administrator accounts run as standard user accounts. This means that when a member of the local Administrators group logs on, they run with their administrative privileges disabled. This is the case until they attempt to run an application or task that has an administrative token. When a member of the local Administrators group attempts to start such an application or task, they are prompted to consent to running the application as elevated. Scenario 1 details the procedure to run an application or task as elevated one time.

noteNote
To perform the following procedure, you must be logged into a client computer as a member of the local administrators group. You cannot be logged in with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account. (The built-in administrator account is disabled on new installations of Windows Vista.)

To request an application to run elevated one time

  1. Start an application that is likely to have been assigned an administrative token, such as Microsoft Windows Disk Cleanup. A User Account Control prompt is displayed.

  2. Verify that the details presented match the request you initiated.

  3. In the User Account Control dialog box, click Continue to start the application.

Scenario 2: Configure an application to always run elevated

Scenario 2 is similar to the previous scenario in that you want to run an application or process as elevated with the administrator access token. However, in this scenario you want to run an application that has not been marked by the developer or identified by the operating system as an administrative application. Some applications, such as internal line-of-business applications or non-Microsoft products might require administrative rights but have not been identified as such. In this scenario, you mark an application to prompt user for consent, and if granted, run as an administrative application. The following procedure steps you through that process.

noteNote
To perform the following procedure, you must be logged into a client computer as a member of the local administrators group. You cannot be logged in with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account.

ImportantImportant
This procedure cannot be used to prevent UAC from prompting for consent to run an administrative application.

To configure an application to always run elevated

  1. Right-click an application that is not likely to have been assigned an administrative token, such as a word processing application.

  2. Click Properties, and then select the Compatibility tab.

  3. Under Privilege Level, select Run this program as an administrator, and then click OK.

    noteNote
    If the Run this program as an administrator option is unavailable, it means that the application is blocked from always running elevated, the application does not require administrative credentials to run, the application is part of the current version of Windows Vista, or you are not logged into the computer as an administrator.

Scenario 3: Configure User Account Control

Scenario 3 outlines some common tasks that local administrators perform during the set up and configuration of client computers running Windows Vista. The following procedures step you through the tasks of turning off UAC, disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.

ImportantImportant
Advanced configuration options for UAC are not available in Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

Turning off UAC

Use the following procedure to disable UAC.

To perform the following procedure, you must be able to log on with or provide the credentials of a member of the local Administrators group.

ImportantImportant
Turning off UAC reduces the security of your computer and may expose you to increased risk from malicious software. We do not recommend leaving UAC disabled.

To turn off UAC

  1. Click Start, and then click Control Panel.

  2. In Control Panel, click User Accounts.

  3. In the User Accounts window, click User Accounts.

  4. In the User Accounts tasks window, click Turn User Account Control on or off.

  5. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.

  6. Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK.

  7. Click Restart Now to apply the change right away, or click Restart Later and close the User Accounts tasks window.

Disable Admin Approval Mode

Use the following procedure to disable Admin Approval Mode.

noteNote
To perform the following procedure, you must be logged into a client computer as a local administrator.

ImportantImportant
You cannot disable Admin Approval Mode on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium because secpol.msc is not included.

To disable Admin Approval Mode

  1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue..

  3. From the Local Security Settings console tree, double-click Local Policies, and then double-click Security Options.

  4. Scroll down and double-click User Account Control: Run all administrators in Admin Approval Mode.

  5. Select the Disabled option, and then click OK.

  6. Close the Local Security Settings window.

Disable User Account Control from prompting for credentials to install applications

Use the following procedure to disable UAC from prompting for credentials to install applications.

noteNote
To perform the following procedure, you must be logged into a client computer as a local administrator.

ImportantImportant
This procedure is not supported on Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium.

To disable UAC from prompting for credentials to install applications

  1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.

  2. From the Local Security Settings console tree, click Local Policies, and then Security Options.

  3. Scroll down and double-click User Account Control: Detect application installations and prompt for elevation.

  4. Select the Disabled option, and then click OK.

  5. Close the Local Security Settings window.

Change the elevation prompt behavior

Use the following procedures to change the elevation prompt behavior for UAC. You can configure the behavior of the elevation prompt separately for administrators and for standard users.

noteNote
To perform the following procedures, you must be logged on to a client computer as a local administrator.

ImportantImportant
To complete the following procedures, you must be running Windows Vista Ultimate, Windows Vista Enterprise, or Windows Vista Business. You cannot complete the following procedures if you are running Windows Vista Starter, Windows Vista Home Basic, or Windows Vista Home Premium because secpol.msc is not included.

To change the elevation prompt behavior for administrators

  1. Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

  2. From the Local Security Settings console tree, click Local Policies, and then Security Options.

  3. Scroll down to and double-click User Account Control: Behavior of the elevation prompt for administrators.

  4. From the drop-down menu, select one of the following settings:

    • Elevate without prompting (tasks requesting elevation will automatically run as elevated without prompting the administrator)

    • Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated)

    • Prompt for consent (default setting for administrators)

  5. Click OK.

  6. Close the Local Security Settings window.

To change the elevation prompt behavior for standard users

  1. Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

  2. From the Local Security Settings console tree, click Local Policies, and then Security Options.

  3. Scroll down to and double-click User Account Control: Behavior of the elevation prompt for standard users.

  4. From the drop-down menu, select one of the following settings:

    • Automatically deny elevation requests (standard users will not be able to run programs requiring elevation, and will not be prompted)

    • Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated, and is the default for standard users)

  5. Click OK.

  6. Close the Local Security Settings window.

Troubleshooting and Support

Since UAC is a feature of Windows Vista, support is available directly from Microsoft and from user communities. For information about support, see http://go.microsoft.com/fwlink/?LinkID=76619.

Additional resources

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
UAC and Admin      krm20 ... streli   |   Edit   |   Show History

i want authorizetion in networking vista home basic to microsoft windows xp 

[tfl - 04 05 09] You should post questions like this to the Technet Forums at http://forums.microsoft.com/technet or the MS Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. 
You are much more likely get a quick response using the forums than through the Community Content. For specific help about:
Exchange       :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.exchange%2C&
SQL Server     :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
Windows        :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
Windows Server :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows.server%2C&
Virtual Server :  http://groups.google.com/group/microsoft.public.virtualserver/topics?lnk
Full Public    :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&
IMPROVED?      jwag79 ... Thomas Lee   |   Edit   |   Show History

every time i try to delete stuff or move a file UAC comes to bother me. i just read an article that says UAC isn't any better since SP1 even though i read that it was improved. see for yourself, here is the news article: http://technet.microsoft.com/en-us/library/cc709618.aspx citing the "noticeable changes". here's the other: http://variableghz.com/2008/11/why-i-still-avoid-windows-vistas-uac/. Microsoft, when are you going to fix this disaster up?

[tfl 28 11 2008] UAC is much improved in Windows 7.

Tags What's this?: uac (x) Add a tag
Flag as ContentBug
Insane!      swim_ny ... Thomas Lee   |   Edit   |   Show History
All i can say is "what a friggin nightmare" stay away from UAC - will lead to you pulling out your hair !
Removing UAC via the Server      netlogicfl ... Will Bayliss   |   Edit   |   Show History
I would like to know if there is a way to remove the UAC from all of the Vista machines on my network at once. I would assume Group Policy would have it but my Windows Server 2003 SBS doesn't have those options in the Group Policy Management Console(GPMC). I can imagine it's in the Windows Server 2008 version, is there anyway to use that GPMC instead?

I'm having the same problem: Can't find any reference to UAC through Group Policies anywhere help files or various forums - possibly I'm missing something obvious! I have seen a reference to changing these settings by running GPMC on a domain-connected client, however, so I'll investigate that and post to the forum if I get anywhere. The only other line of approach that occurs to me is to directly edit client registry settings in a policy. Anyone have any better ideas or experience to contribute?
Tags What's this?: uac (x) Add a tag
Flag as ContentBug
Administrative and User Accounts      tisa ... Thomas Lee   |   Edit   |   Show History

I'm very disappointed; and that's an understatement.

The Vista User and Administration accounts need to be corrected. I'm finding that I cannot even clear out a folder (if it contains sub-folders) without deleting each individual sub-folder first. Vista keeps telling me I don't have administration rights ! I own this PC, and if I want full access rights to my system, then I should be able to set it up that way, but I can't.I go to "help", and it tells me to run "secpol.msc", to change administrative rights, but when I attempt to do that, it says the file is not available. Then I learn from this site that you don't include the file in the home version. Why not ? Then I go to contact you folks (about a software issue specific to your firm) and I'm told to contact the manufacturer of my PC, because they installed Vista at the factory. (They didn't create this software problem). Or my other option appears to be to pay you folks a fee to contact you to discuss this problem. A problem that shouldn't exist in the first place.The logic I'm reading on your site is that Vista is set-up this way to protect me from "Mal-ware". Well, I'm the customer, and I'm not "Mal-ware", hence I should have full access to my own system, if I so desire.If I'm misunderstanding something about what I need to do to increase my administrative rights, on my own PC, please advise what I'm missing and what I need to change to get full rights to my file system.If I am understanding this correctly, please send me the "secpol.msc" file, or whatever other files/instructions I need to gain full adminsrative rights to manage my file systems. Please help with this; in my opinion the fact Vista insists on limiting my access rights, to my own PC, is totally unwarranted, and ridiculous.And, no, I'm not willing to pay a fee for you fix it. This is a brand new OS, and it shouldn't be making the mistake of cofusing the customer with "Mal-ware"!!

[tfl - 24 01 09] You should post questions like this to the Technet Forums at http://forums.microsoft.com/technet or the MS Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quick response using the forums than through the Community Content.
For specific help about:
Exchange       :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.exchange%2C&
SQL Server     :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
Windows        :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
Windows Server :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows.server%2C&
Virtual Server :  http://groups.google.com/group/microsoft.public.virtualserver/topics?lnk
Full Public    :  http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&

And - to 'fix' the problems, go to the root of each volume, and add everyone/full control and propogate that permission to all sub-folders. This is NOT a great idea security wise, but will dolve your problem. Vista is trying to help - but UAC is much, much better in Win7.
modify via Registry?      Buz at CCS   |   Edit   |   Show History
What stinks is that secpol.msc isn't provided in Home Premium! What is MS's rationale for this?? I've seen writeups about making changes to UAC to the registry directly, or via NET commands. I also once had to "mount" a registry portion/hive that isn't normally accessible in regedit, where these settings may live. Unfortunately I'd have to search for my notes - Does anybody else know from this?

Disabling UAC is my last choice - Overall I've become quite satisfied with Vista, except that unless you have Business or Ultimate you're a second class citizen!
Circumventing UAC through network?      wei2ali   |   Edit   |   Show History
Funny story, but sadly, it's all true. One of our users once needed to edit an ini-file located in "Program Files" to get an older program working properly, and UAC stopped him dead. In order to get some work done fast, he mapped Vista's system drive to an XP, modified the ini, saved it, and voíla, all's well!

Amazing how we didn't see this coming. Isn't UAC meant to protect the end-users? Why is it looking elsewhere, whistling like nothing's happening while "vital" system files are being modified from over the network? I would imagine that UAC would go berserk if system files are being modified, but no, nothing, nothing happened.

You might argue that it's a firewall issue, we ought to have turned on the firewall, but the argument goes like this: if you design UAC to prevent vital system files being modifed, shouldn't UAC do a better job in protecting them, rather than irritate the "you-know-what" out of everybody?

Well done, Microsoft; well done, UAC-team.

Actually I feel sorry for the boys and girls in UAC-team, since they have to try hard to fullfil the wildest fantacies of some brain-dead, ultra-egoed corpheads to make the OS impenetrable. Sadly, UAC is the wrong way to approach that, IMHO.
WHY WONT SIMCITY 4 work for Windows Vista Home Premium???????      Roundeye721   |   Edit   |   Show History
where do i start... I just bought a new computer from walmart an HP Pavilion Slimline. it has 3GB of memory, 300GB of hard drive, i just bought a new 8400 GeForce Graphics Card and a new Power Supply that is 400W. I have talked with microsoft Tech Support for a total of over 9 Hours.... more time then i have even spent appreciating my new computer, trying to get SIMCITY 4 to work on my computer... and yes this is the newest edition "SIM BOX" which is compatible to Windows Vista. I dont know why i have had to do all the *** i have had to do just to get no where, which is where i still stand.... I have spent over 100 dollars on add ons for this 600 dollar computer which i bought primarily just to play SIMCITY 4. i have gone threw the compatibility adjustment, the UAC, turning off my firewall, updating my Vista to Service Pack 2, creating a new Administrater account to try and install the game, i have literally installed and uninstalled this game probbably 20+ times and still got nowhere!!! i dont know what to do. EA GAMES NEEDS TO MAKE A NEW VERSION OF SIM CITY THAT WILL WORK WITH MICROSOFT 7 FOR SURE..... I wish there was a way to get this game to work, it is my favorite game of all time, i would rather play this than any PS3 game. I have The Sims Life Stories on my computer and it works just fine, but i dont care much for that game, i wanna be able to play SIM CITY 4... please help me with this problem i cant afford to spend anymore money on things i dont need.......
Tags What's this?: Add a tag
Flag as ContentBug
Is there another way to help me out?      Dynasty   |   Edit   |   Show History
I really want to change the UAC setting for a program and I'm using Vista Home Premium. I know that in the above contect it said Vista Home Premium does not include secpol.msc, but i want to know if there's another to make it work. My parents want to use this program that kept on asking for my permission since their account is Standard. However I can't makt the account administrator because they don't understand the threat on the internet. Therefore, I really need another way to make this work. I am really not up to buying another PC or another Window at the moment, so SERIOUSLY, DO SOMETHING ABOUT IT MICROSOFT!!!!!!!!!!!!!!!!!!!
Tags What's this?: help (x) uac (x) Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker