Windows Server 2008 and Windows 7's UAC features are good, but I don't feel they are necessary on server platforms for a general-purpose system. The solution is to implement three values in a Group Policy Object (GPO) that will configure the computer account to not run UAC. These values are located in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options with the following values:
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Turn on Admin Approval Mode
Click the image to enlarge.
In the example, the GPO is named Filter-GPO-ServerOS to apply a filter by security group of computer accounts. (Read my TechRepublic tip on how to configure a GPO to be applied only to members of a security group.) A good practice would be to apply the GPOs to a security group that contains server computer accounts, and possibly one for select workstation accounts. This value requires a reboot to take effect via Group Policy. Also, the UAC shield icon doesn't go away, but subsequent access to the application doesn't prompt for UAC anymore.
I know some server admins are fans or UAC, while others prefer to disable the feature. Do you disable UAC? Share your perspective on this feature.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.