: Menu :
Tips for Living Peacefully with Vista's UAC
Since first writing about the Save Windows XP campaign, the number of petitioners has grown to over 106,000 names (as of March 27). While the campaign continues, it occurred to me that rather than writing about the pros and cons of XP versus Vista, it might be more advantageous to offer Tips for Windows Vista that will help make life easier. Moreover, perhaps I'll win some over to the "Dark Side" (Vista).
When first Beta testing Windows Vista right from the start there was one feature I loved and hated equally. That was the User Account Control (UAC); the IT Director in me said, "This was genius." The end-user in me hated being prompted for everything. More importantly, I knew that at home the last thing I wanted was to be asked if I meant to do this or do that. If I clicked on it, that what I wanted to do. I resented being policed as it were by my own computer.
No doubt, many IT professionals and home users felt the same when they first encountered this new "security" feature from Microsoft.
Regardless of how you feel about UAC, it is a base feature of Vista and will probably appear in Windows 7 and beyond, so we must learn to coexist with UAC. There are two options for doing so; the first is to disable UAC all together. However, even for a home user I would not recommend doing that. The point to UAC is ensuring nothing is added to your system without you being aware.
That brings us to our second option making UAC more user-friendly. Ok, UAC will probably never be user- friendly however we can make it tolerable. Here are three tips to help to make it easier to live with UAC.
It must be noted that these changes will need an Administrative Account in a Domain environment. It should also be noted that these changes do weaken (but they do not) completely disable the UAC security module.
First, try Installing Service Pack 1
With the release of Service Pack 1, one of the items addressed was the number of times UAC prompts the user for permission. For example, UAC would prompt the user for permission four times when renaming or creating a folder in a protected location. This has been reduced to one with SP1 installed.
Overall, there are claims that UAC prompts are lessened with the installation of SP1. However, this is hard to confirm since most people, especially home users, have disabled UAC all together. Still, any decreases are welcomed, so Installing SP1 is certainly the first recommendation.
Log in with a Local Admin Account
If you have one, try using a Local Admin account. This would apply more to the home user, of course.
Nevertheless, there are some situations where a small network, or perhaps areas where less security is needed. This would be ideal for allowing users more freedom.
I remember when I was first testing Vista for use in my firm; one of the most frustrating things for me was the need for all users to have local admin permissions.
Even with Vista, I could not get away from the Accounting software vendors wanting that local elevated permission to make the software work. Now it has been a year since I left Corporate and moved to writing and training. If my seven years in the Accounting industry taught me anything, the status quo still exists.
Whether you want to or need to, logging into Vista with a Local Admin account can make dealing with UAC much easier than the Standard User account. Who knows, it may even make you start to like Vista: "Give in to your anger! With each passing moment, you make yourself more Bill's servant."
(Sorry, another Start Wars quote. I can't help myself - it seems to lend itself so well to our theme.)
Using a local Admin will make UAC a bit more palatable, but there is another method of making UAC easier to swallow.
Change the Local Security Policy Settings
Windows Vista sets and saves UAC preferences in the Local Security Policy Management Console. To gain access to the Local Security Policy, click on the Start Orb and type secpol.msn in the Search bar. Local Administrative Account Access is needed to launch and make changes to the module.
Once opened you can change the following:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Change the setting to prompt for consent rather than to prompt for credentials. This allows you to still review what is trying to run, but only requires you to either allow or cancel to action.
User Account Control: Only elevate executables that are signed and validated - Setting this to Enabled will only allow elevation to executables that are signed with PKI certificates, which effectively cuts down on the number of prompts you receive, since non-signed executables will be automatically denied access.
User Account Control: Switch to the secure desktop when prompting for elevation - Caution should be used and a determination needs to be made for each environment before making this change. Changing the prompt to the interactive desktop will also cut down on the number of prompts received by the end user.
Now these are only three of ten settings for UAC that can be tweaked according to your needs. Again, remember two of these Security settings I would not suggest: disabling the User Account Control all together, and disabling Admin Approval mode for the Built-in Admin account. These would allow Vista to work like XP in effect, running all executables with full admin permissions.
UAC has been a hard pill to swallow, no doubt. Hopefully future releases, whether they be Service Packs or the new Windows 7, will take this into consideration and gives us a happy medium between secured and functional.
Until then I hope these tips will bring you some relief and help others to get the most out of Windows Vista. As I said in my opening, the future of Windows leaves little hope that UAC will go away, but the future of XP is uncertain. Nothing in this world is more certain than change. Until that change is applied to UAC, we need to exist peacefully with menace.