One of the more common questions I get asked by clients and colleagues is how to use group policy to configure UAC settings for Windows clients that mirror the 4 level presets that is available from within a Windows 7 desktop. While I don’t have the configuration for levels 1 and 2, I do have the settings for 3 and 4 so I thought I’d write this quick blog post for others and my self to reference.
Level 3 UAC
To configure a Windows 7 desktop with level 3 UAC settings as shown in the following screenshot:
Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:
| Policy | Setting |
| User Account Control: Admin Approval Mode for the built-in Administrator account | Disabled |
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows Binaries |
| User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
| User Account Control: Detect application installations and prompt for elevation | Enabled |
| User Account Control: Only elevate executables that are signed and validated | Disabled |
| User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
| User Account Control: Run all administrators in Admin Approval Mode | Enabled |
| User Account Control: Switch to the secure desktop when prompting for elevation | Disabled |
| User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Level 4 UAC
To configure a Windows 7 desktop with level 4 UAC settings as shown in the following screenshot:
![clip_image002[6]](https://i0.wp.com/lh3.googleusercontent.com/-0oi1rur6PFE/V30BnWqdUkI/AAAAAAAB9PM/SrWR0d9OLUY/s1600-h/clip_image002%25255B6%25255D%25255B2%25255D.jpg?ssl=1 "clip_image002[6]")
Configure the following settings in the Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > Security Options:
| Policy | Setting |
| User Account Control: Admin Approval Mode for the built-in Administrator account | Disabled |
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows Binaries |
| User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
| User Account Control: Detect application installations and prompt for elevation | Enabled |
| User Account Control: Only elevate executables that are signed and validated | Disabled |
| User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
| User Account Control: Run all administrators in Admin Approval Mode | Enabled |
| User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
| User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Hope this helps anyone who may be looking for this information.
One Response
Thanks Man!