Saturday 26 April 2008

Vista - Enabling UAC with Credentials for Local Admins when managing Server 2008

The Remote Server Administration Tools for Windows Vista SP1 is available: Validation is required for both downloads. Once they are downloaded, both should be placed on the Technician's Thumb Drive for later installation.

When running the admin tools, we need to be prompted by UAC for credentials so that we can authenticate in the management console as domain admin.

If, however, we are working on a Windows Vista workstation where the user account has local admin priviledges, then the UAC will only prompt to continue on into the admin consoles.

This will not work for managing servers as that elevation is local admin only.

We need UAC to prompt for credentials every time. To do this we do the following:
  1. Start
  2. GPEdit.msc [Enter]
  3. Navigate to: Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options:

    • UAC Prompt: Behaviour for admins

  4. Change the default from "Prompt for Consent" to "Prompt for credentials"

    • UAC Behaviour Options

  5. Click Apply and OK
  6. Close the Local Group Policy Editor
One should now be prompted for credentials every time a UAC is presented.

This setting is machine specific, so any users of the machine will need to enter their domain credentials if they are presented with a UAC prompt. Keep this in mind for systems that are used when at the client site for server management.

Thanks to Josh's Windows Blog for providing us with the tip: Windows Vista Tip: Run as administrator.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

2 comments:

stryqx said...

You can still use "runas /user:domain\administrator C:\path\to\snapin.msc" to achieve this without changing UAC.

ShellRunAs is a nice GUI way of doing this, also without requiring changing UAC.

Philip Elder Cluster MVP said...

Chris,

Thanks for the pointers.

I will look into them as an alternative.

Having credentials being requested has not been too much of a hassle yet ... but anything that saves a bit of time is an asset.

Thanks,

Philip