UAC Configuration in Windows 7

Before you start

Objectives: Learn how to configure different aspects of User Account Control (UAC) in Windows 7.

Prerequisites: you have to know what is UAC in Windows.

Key terms: uac, settings, control, account, user, windows, desktop, policies, prompt, secure


User Accounts in Control Panel

To configure UAC settings we can go to Control Panel > User Accounts. Here we will see a “Change User Account Control settings” option that we can use to make changes to the current user account.

User Account

User Account in Control Panel

When we click that option, we will be able to choose when to be notified about changes to our computer. The default setting is to notify us only when programs try to make changes to our computer. In this case UAC will not notify us when we make changes to Windows settings. When the UAC prompt us activated, the Secure Desktop (dimmed desktop) will be displayed for a maximum of 150 seconds. We will not be able to perform any other action until we respond to the prompt. If we don’t respond, the system will automatically deny the request after 150 seconds.

UAC Settings

UAC Settings

We can also choose the “Always notify” option in which we will be notified when programs try to make changes and when we make changes to Windows settings. We can also choose to be notified but without dimming our desktop (without Secured Desktop feature). In this mode we will be able to interact with the computer even when the UAC prompt is active. We can also choose to never notify us. In this case we will be able to do all administrative tasks (if we are a member of the Administrators group) without UAC prompts. Standard users won’t be able to perform actions which require administrative privileges in this mode, as they will be automatically denied.

Group Policy Settings Related to UAC

We can also configure certain UAC settings by using Group Policy. This way we can control UAC settings which will apply to the whole system, to all users. To do that we will enter “gpedit.msc” in Search. This will open Group Policy Editor. In editor we will go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Here we will scroll down to the policies which name starts with “User Account Control:”.

UAC Policies

UAC Policies

Notice the different UAC Policies. We can configure the behaviour of the elevation prompt for administrators and for standard users. Different settings which we can choose are shown on the pictures below.

Prompt Settings for Administrators

Prompt Settings for Administrators

Prompt Settings for Standard Users

Prompt Settings for Standard Users

We can also control UAC settings for the built in administrator account. By default UAC is disabled for the built-in administrator account, but we can enable it here. To turn UAC off or on we can use the “Run all administrators in Admin Approval Mode”. All other UAC policies are dependent on this option being enabled. The default setting is on. In “Switch to the secure desktop when prompting for elevation” policy we can enable or disable the Secure Desktop feature for the whole system. By using other policies we can also choose to only elevate executable that are signed and validated or that are installed in secure locations. Signed and validated applications use Public Key Interface (PKI) checks. Secure locations in Windows 7 are “C:\Program Files\” and its sub-directories, “C:\Program Files (x86)\” and its sub-directories, and “C:\Windows\system32\r-“.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: