Windows Server 2008 and Windows 7's UAC features are good, but I don't feel they are necessary on server platforms for a general-purpose system. The solution is to implement three values in a Group Policy Object (GPO) that will configure the computer account to not run UAC. These values are located in Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options with the following values:
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Turn on Admin Approval Mode
Click the image to enlarge.
In the example, the GPO is named Filter-GPO-ServerOS to apply a filter by security group of computer accounts. (Read my TechRepublic tip on how to configure a GPO to be applied only to members of a security group.) A good practice would be to apply the GPOs to a security group that contains server computer accounts, and possibly one for select workstation accounts. This value requires a reboot to take effect via Group Policy. Also, the UAC shield icon doesn't go away, but subsequent access to the application doesn't prompt for UAC anymore.
I know some server admins are fans or UAC, while others prefer to disable the feature. Do you disable UAC? Share your perspective on this feature.
About Rick Vanover
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.
Full Bio
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.
