Vista - Prevent Users from Disabling UAC

I have a domain with several Vista boxen with users who are local Admins but not Domain Admins (accomplished using Restricted Groups). I need to ensure that these users do not disable User Account Control on their machines as I am sure they will be tempted to do so. Is there a way I can do this (perhaps through Group Policy)? I found several UAC-related settings and enforced them, but nothing stops them from disabling it entirely. Is there anything I can do besides the obvious choice of not granting them Administrative privileges?

Yes, in the group policy, you can specify to either lockout the UAC controls all together, or Force it to on. Even though they can still disable it when you force it to on, they have to restart their PCs, therefore refeshing the GPO at restart and leaving it on, no matter how many restarts.

FYI... This was all on server 2008 for me, dunno about 2003 and lower, but i'll look.

Hope that helps. (If not, just reply)

Do you know where this policy setting is? I have been looking for a while and I don't see it with the rest of the User Account Control options in Security Options. Where should I be looking?

After I posted that I realized that the UAC was not being controlled by the GPO, but rather by Deepfreeze. Sorry.

I'm going to look into some options, but i do know that one is that you can specify who can open the control panel and what in the control panel they can open. So, your Admins would still have admin control, but they wouldn't be able to SEE the UAC options in the control panel, only domain admins can.

I'm going to look into this, but somehow i have my vista machines configured where some users are admins, but only my domain admin account can enable or disable UAC.

I'll post back hplefully within the next day.

Are your admin's user profiles controlled by Active Directory or are they controlled locally?

You could also try your hand at some scripting as well...

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

this is the command to enable UAC. The only way i see this playing out is this...
Have this script run at startup. If your user does go in and disable UAC, it will require a restart anyway, which will force this script to run again.

As a last resort, depending on how much access your want your admins to have, you could go in to the policy for these computers and remove the "User Accounts" option from the control panel.

I think that's what I will do, just disable their access to the user accounts option in the control panel. When doing that, do I put "User Accounts" in the "Deny Access to these Control Panel Items" or the .cpl filename? If the latter, do you know which .cpl corresponds to User Accounts?

Anyway, thanks for all your help. I really appreciate the time you put into this for me.

not sure exactly, never actually done it, just seen it and am contemplating it. If my memory serves me correctly, it will either me a dropdown menu of choices or you can just enter "User Accounts."

Not sure, give it a try.