User accounts may seem like simple things, but
there’s a lot more to them than meets the eye. For example, you know
that in Windows 7 all standard users must enter administrator
credentials to perform actions such as installing certain programs or
modifying system settings, but did you know that you can disable all
elevation prompts for those users? Did you know that you can disable all
user accounts (except your own, of course)? Did you know that you can
use the built-in Guest account as an easy way to give someone temporary
(and limited) access to your computer? Did you know that it’s possible
to find out who is logged on to another computer on your network?
Preventing Elevation for All Standard Users
You saw earlier that when a standard user attempts a task that requires elevation, he
or she sees a UAC dialog box that requires an administrator password,
and the screen switches to secure desktop mode.
There are two problems with this:
Standard users almost never have the proper credentials to elevate an action.
The
combination of the sudden appearance of the User Account Control dialog
box and the change into secure desktop mode is confusing for many
users, particularly the inexperienced.
These two problems mean
that in most cases it would be better if a standard user didn’t get
prompted to elevate their privileges. Instead, it would be better to
display an Access Denied message and let the user move on from there.
You can use the Local Security Settings snap-in to set this up. Here are the steps to follow:
Note
These steps
require the Local Security Settings snap-in, which is available only
with Windows 7 Professional, Vista Enterprise, and Vista Ultimate. If
you’re not running one of these versions, normally I’d show you how to
modify the Registry to get the same effect. Unfortunately, the policy
value that we tweak here doesn’t have a Registry equivalent for security
reasons.
1. | Select Start, type secpol.msc into the Search box, and then press Enter. The Local Security Policy snap-in appears.
|
2. | Open the Local Policies branch.
|
3. | Click the Security Options branch.
|
4. | Double-click the User Account Control: Behavior of the Elevation Prompt for Standard Users policy.
|
5. | In the list, choose Automatically Deny Elevation Requests, as shown in Figure 1.
|
6. | Click OK to put the new setting into effect.
|
Now
when a standard user attempts something that requires elevated
privileges, he or she just sees a simple dialog box like the one shown
in Figure 2. Windows 7 doesn’t switch into secure desktop mode, and the user just has to click Close to continue.
Note
The dialog box the user
sees varies depending on the program or service that requires
elevation. In each case, however, the user’s only choice is to click a
button (usually labeled either Close or OK).