Security

Disable UAC for Windows Servers through Group Policy

User Account Control is rarely needed for Windows Server systems. Learn how to use Group Policy to disable this feature.
User Account Control (UAC) is a mechanism in Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista that provides interactive notification of administrative tasks that may be called by various programs. Microsoft and non-Microsoft applications that are installed on a server will be subject to UAC. The most visible indicator that UAC is in use for a file is the shield ribbon identifier that is put on a shortcut (Figure A). Figure A

Windows Server 2008 and Windows 7's UAC features are good, but I don't feel they are necessary on server platforms for a general-purpose system. The solution is to implement three values in a Group Policy Object (GPO) that will configure the computer account to not run UAC. These values are located in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options with the following values:

  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
  • User Account Control: Detect application installations and prompt for elevation
  • User Account Control: Turn on Admin Approval Mode
These values are set to Elevate Without Prompting, Disabled, and Enabled respectively to turn off UAC for computer accounts. This GPO is shown in Figure B with the values set to the configuration elements. Figure B

Click the image to enlarge.

In the example, the GPO is named Filter-GPO-ServerOS to apply a filter by security group of computer accounts. (Read my TechRepublic tip on how to configure a GPO to be applied only to members of a security group.) A good practice would be to apply the GPOs to a security group that contains server computer accounts, and possibly one for select workstation accounts. This value requires a reboot to take effect via Group Policy. Also, the UAC shield icon doesn't go away, but subsequent access to the application doesn't prompt for UAC anymore.

I know some server admins are fans or UAC, while others prefer to disable the feature. Do you disable UAC? Share your perspective on this feature.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

6 comments
SebastienTOURSEL
SebastienTOURSEL

Hey, please note that the option "User Account Control : Run all administrators in Admin Approval Mode" has to be DISABLED and not ENABLED like described. Otherwise, all applications which requires Admin mode, like SQL Management Console will not prompt and will be opened with non admin rights.

pedroshimself
pedroshimself

thanks for the GPO and info :), personally, i will stop the UAC on servers and keep it on clients

pedroshimself
pedroshimself

i did apply all three settings but i still see the popup "You don't currently have permission..." although i am logged in using domain admin account

RonnyJDT
RonnyJDT

Thank you for writing this article. Very direct and to the point. To answer your questions, Yes I am a fan of UAC, but sometimes you need to disable UAC on servers, especially when running shared applications that call other procedures using admin privileges. Thanks again!

Gis Bun
Gis Bun

Maybe leaving UAC is fine as it is to remind you of where you are. As well, once a server is up and running how often are you installing or changing something on it [aside from user accounts and GPs]?

cantthinkof1
cantthinkof1

Well laid out, thanks. I will give it a try.

Editor's Picks