UAC question

  • Thread starter Thread starter Toad
  • Start date Start date
T

Toad

Does anyone know of a way to control which administrator users appear
in the UAC dialog ? It would be nice to have administrator accounts
that cannot be used by a limited user for UAC. Of course, they would
have to know the password for them anyway but the idea is more cosmetic
to just keep the list small in the dialog.

Also, is there a way to select which user in the UAC dialog is the
default chosen one (or the one at the top of the list) ?

Another interesting point - create a group called somegroup, create a
user and add it to the somegroup, and add somegroup to the
administrators group. Log in using a different limited user account and
do a run as administrator, the UAC dialog appears saying to enter a
password, but NO accounts are listed (inluding those directly in the
administrators group) and only the cancel button is available. I was
sort of hoping the was a solution to my first question in that UAC
wouln't traverse nested groups, but it seems to just break it... :)

Toad


--
 
Unfortunately, there is no way to control what shows up in that dialog.
Normally, on a stand-alone computer it enumerates the local admins and shows
them in the dialog.

On a domain-joined computer it does not and requires you to enter the
username and password, but there is no way to control which dialog you get
other than domain-joining the computer.

Your scenario is interesting and appears to break the elevation altogether.
How did you manage to add a local group to another local group? The GUI
definitely won't let you do that. It is only on the command line that you
can, and doing so is unsupported as far as I know.
 
Jesper said:
Unfortunately, there is no way to control what shows up in that
dialog. Normally, on a stand-alone computer it enumerates the local
admins and shows them in the dialog.

On a domain-joined computer it does not and requires you to enter the
username and password, but there is no way to control which dialog
you get other than domain-joining the computer.

Your scenario is interesting and appears to break the elevation
altogether. How did you manage to add a local group to another local
group? The GUI definitely won't let you do that. It is only on the
command line that you can, and doing so is unsupported as far as I
know. ---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-
20
Click to expand...

Thanks, yes did the second part via command line. Of course, this works
better in a domain it seems (groups vs. distribution lists perhaps).
Also, XPSP2 did prevent this group in a group via the net command...

Toad

--
 
Your scenario is interesting and appears to break the elevation
I were able to repro this. Yes, that seems like a bug to me. I submitted it
to Microsoft as a Vista SP1 bug. We'll see if they do anything about it.
 
Back
Top