How do I change the behavior of User Account Control by using Group Policy?

Applies To: Windows Server 2008 R2

You can use the local User Account Control (UAC) Group Policy settings to change the behavior of UAC for standard users or for local administrators.

Examples of situations where you might want to change the behavior of UAC include the following:

• By default, UAC detects most setup applications automatically and then treats them as applications that require elevation of the user's security context, even if the application is not explicitly marked as a setup application. In a managed environment, where users are not expected to run installation or setup programs, this can create unwanted requests for support when users receive a UAC prompt. Therefore, an administrator can disable the automatic setup detection in UAC or disable the prompts for setup applications entirely.

• Applications normally run with the level of access granted in a standard user access token, even if the applications are started by a user that is a member of the local Administrators group. By default, users logged on as local administrators receive the same UAC prompts as standard users. Local administrators can change when and how they receive a UAC prompt. Local administrators can also change when and how standard users receive a UAC prompt.

Use the following procedure to change the behavior of UAC by using Group Policy.

To perform this procedure, you must be logged on as a local administrator or provide the credentials of a member of the local Administrators group.

To change the behavior of UAC by using Group Policy

1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

3. In the console tree, expand Local Policies, and then click Security Options.

4. In the details pane, scroll down and double-click the Group Policy setting that you want to change. UAC policy settings that a local administrator can modify include:

   • User Account Control: Admin Approval Mode for the built-in Administrator account

   • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

   • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

   • User Account Control: Behavior of the elevation prompt for standard users

   • User Account Control: Detect application installations and prompt for elevation

   • User Account Control: Only elevate executables that are signed and validated

   • User Account Control: Only elevate UIAccess applications that are installed in secure locations

   • User Account Control: Run all administrators in Admin Approval Mode

   • User Account Control: Switch to the secure desktop when prompting for elevation

   • User Account Control: Virtualize file and registry write failures to per-user locations

5. On the Properties page, make your selection, and then click OK.