User Account Control (UAC) is a mechanism in Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista that provides interactive notification of administrative tasks that may be called by various programs. Microsoft and non-Microsoft applications that are installed on a server will be subject to UAC. The most visible indicator that UAC is in use for a file is the shield ribbon identifier that is put on a shortcut (Figure A).
Windows Server 2008 and Windows 7’s UAC features are good, but I don’t feel they are necessary on server platforms for a general-purpose system. The solution is to implement three values in a Group Policy Object (GPO) that will configure the computer account to not run UAC. These values are located in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options with the following values:
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Turn on Admin Approval Mode
These values are set to Elevate Without Prompting, Disabled, and Enabled respectively to turn off UAC for computer accounts. This GPO is shown in Figure B with the values set to the configuration elements.
Click the image to enlarge.
In the example, the GPO is named Filter-GPO-ServerOS to apply a filter by security group of computer accounts. (Read my TechRepublic tip on how to configure a GPO to be applied only to members of a security group.) A good practice would be to apply the GPOs to a security group that contains server computer accounts, and possibly one for select workstation accounts. This value requires a reboot to take effect via Group Policy. Also, the UAC shield icon doesn’t go away, but subsequent access to the application doesn’t prompt for UAC anymore.
I know some server admins are fans or UAC, while others prefer to disable the feature. Do you disable UAC? Share your perspective on this feature.