Disable UAC as oppoed to similar Group Policy?

Hi,

With UAC there's a local option to disable it in CP, but if you look at
local GP, there are different components that make up UAC and you can
control them on a granular basis.

My question is this:

1. If I disable UAC on the local machine, will it automatically set all
local group policies to the disabled state?

2. If I set all UAC group policies to disabled on a domain joined box,
will UAC actually be "Off" at that point (as in #1) or will it still be
"On" but not doing much?

3. If I disable UAC in CP, but set a domain GP to enforce all components
to be enabled, will it then make UAC come back on again?

I'm also interested to know which service/process controls UAC and the
filtered token, which of the above strategies would KILL the filtered
token completely?

--
Gerry Hickman (London UK)

> 1. If I disable UAC on the local machine, will it automatically set all
> local group policies to the disabled state?

No. The UAC checkbox in the users control panel and msconfig simply changes
the group policy setting for admin approval mode for administrators group.
This is the "big daddy" group policy setting that turns everything on or off.
Most of the other settings simply control how UAC behaves when this setting
is enabled.

> 2. If I set all UAC group policies to disabled on a domain joined box,
> will UAC actually be "Off" at that point (as in #1) or will it still be
> "On" but not doing much?

The enable admin approval mode for administrators group group policy entry
turns UAC on or off.

> 3. If I disable UAC in CP, but set a domain GP to enforce all components
> to be enabled, will it then make UAC come back on again?

Sounds about right.

> I'm also interested to know which service/process controls UAC and the
> filtered token, which of the above strategies would KILL the filtered
> token completely?

I think UAC is part of the Windows OS and not an "add on" like a system
service, although I may be wrong on this point.

- JB

Thanks Jimmy,

This is helpful! Especially the "big daddy" clarification

Jimmy Brush wrote:
>> 1. If I disable UAC on the local machine, will it automatically set all
>> local group policies to the disabled state?
>
> No. The UAC checkbox in the users control panel and msconfig simply changes
> the group policy setting for admin approval mode for administrators group.
> This is the "big daddy" group policy setting that turns everything on or off.
> Most of the other settings simply control how UAC behaves when this setting
> is enabled.
>
>> 2. If I set all UAC group policies to disabled on a domain joined box,
>> will UAC actually be "Off" at that point (as in #1) or will it still be
>> "On" but not doing much?
>
> The enable admin approval mode for administrators group group policy entry
> turns UAC on or off.
>
>> 3. If I disable UAC in CP, but set a domain GP to enforce all components
>> to be enabled, will it then make UAC come back on again?
>
> Sounds about right.
>
>> I'm also interested to know which service/process controls UAC and the
>> filtered token, which of the above strategies would KILL the filtered
>> token completely?
>
> I think UAC is part of the Windows OS and not an "add on" like a system
> service, although I may be wrong on this point.
>
> - JB


--
Gerry Hickman (London UK)

components There is a solution for this, a NT Service that keeps the UAC setting
off..

you can find it at 'http://blog.halan.se' (http://tinyurl.com/yplw8w)


--
dannyCage
Posted via http://www.vistaheads.com