UAC question

  • Thread starter Thread starter Toad
  • Start date Start date
T

Toad

Guest
Does anyone know of a way to control which administrator users appear
in the UAC dialog ? It would be nice to have administrator accounts
that cannot be used by a limited user for UAC. Of course, they would
have to know the password for them anyway but the idea is more cosmetic
to just keep the list small in the dialog.

Also, is there a way to select which user in the UAC dialog is the
default chosen one (or the one at the top of the list) ?

Another interesting point - create a group called somegroup, create a
user and add it to the somegroup, and add somegroup to the
administrators group. Log in using a different limited user account and
do a run as administrator, the UAC dialog appears saying to enter a
password, but NO accounts are listed (inluding those directly in the
administrators group) and only the cancel button is available. I was
sort of hoping the was a solution to my first question in that UAC
wouln't traverse nested groups, but it seems to just break it... :)

Toad


--
 
RE: UAC question

Unfortunately, there is no way to control what shows up in that dialog.
Normally, on a stand-alone computer it enumerates the local admins and shows
them in the dialog.

On a domain-joined computer it does not and requires you to enter the
username and password, but there is no way to control which dialog you get
other than domain-joining the computer.

Your scenario is interesting and appears to break the elevation altogether.
How did you manage to add a local group to another local group? The GUI
definitely won't let you do that. It is only on the command line that you
can, and doing so is unsupported as far as I know.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20


"Toad" wrote:

> Does anyone know of a way to control which administrator users appear
> in the UAC dialog ? It would be nice to have administrator accounts
> that cannot be used by a limited user for UAC. Of course, they would
> have to know the password for them anyway but the idea is more cosmetic
> to just keep the list small in the dialog.
>
> Also, is there a way to select which user in the UAC dialog is the
> default chosen one (or the one at the top of the list) ?
>
> Another interesting point - create a group called somegroup, create a
> user and add it to the somegroup, and add somegroup to the
> administrators group. Log in using a different limited user account and
> do a run as administrator, the UAC dialog appears saying to enter a
> password, but NO accounts are listed (inluding those directly in the
> administrators group) and only the cancel button is available. I was
> sort of hoping the was a solution to my first question in that UAC
> wouln't traverse nested groups, but it seems to just break it... :)
>
> Toad
>
>
> --
>
>
 
Re: UAC question

Jesper wrote:

> Unfortunately, there is no way to control what shows up in that
> dialog. Normally, on a stand-alone computer it enumerates the local
> admins and shows them in the dialog.
>
> On a domain-joined computer it does not and requires you to enter the
> username and password, but there is no way to control which dialog
> you get other than domain-joining the computer.
>
> Your scenario is interesting and appears to break the elevation
> altogether. How did you manage to add a local group to another local
> group? The GUI definitely won't let you do that. It is only on the
> command line that you can, and doing so is unsupported as far as I
> know. ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-
> 20
>
>
> "Toad" wrote:
>
> > Does anyone know of a way to control which administrator users
> > appear in the UAC dialog ? It would be nice to have administrator
> > accounts that cannot be used by a limited user for UAC. Of course,
> > they would have to know the password for them anyway but the idea
> > is more cosmetic to just keep the list small in the dialog.
> >
> > Also, is there a way to select which user in the UAC dialog is the
> > default chosen one (or the one at the top of the list) ?
> >
> > Another interesting point - create a group called somegroup, create
> > a user and add it to the somegroup, and add somegroup to the
> > administrators group. Log in using a different limited user account
> > and do a run as administrator, the UAC dialog appears saying to
> > enter a password, but NO accounts are listed (inluding those
> > directly in the administrators group) and only the cancel button is
> > available. I was sort of hoping the was a solution to my first
> > question in that UAC wouln't traverse nested groups, but it seems
> > to just break it... :)
> >
> > Toad
> >
> >
> > --
> >
> >

Thanks, yes did the second part via command line. Of course, this works
better in a domain it seems (groups vs. distribution lists perhaps).
Also, XPSP2 did prevent this group in a group via the net command...

Toad

--
 
Re: UAC question

> > Your scenario is interesting and appears to break the elevation
> > altogether. How did you manage to add a local group to another local
> > group? The GUI definitely won't let you do that. It is only on the
> > command line that you can, and doing so is unsupported as far as I
> > know. ---

> > > Another interesting point - create a group called somegroup, create
> > > a user and add it to the somegroup, and add somegroup to the
> > > administrators group. Log in using a different limited user account
> > > and do a run as administrator, the UAC dialog appears saying to
> > > enter a password, but NO accounts are listed (inluding those
> > > directly in the administrators group) and only the cancel button is
> > > available. I was sort of hoping the was a solution to my first
> > > question in that UAC wouln't traverse nested groups, but it seems
> > > to just break it... :)

I were able to repro this. Yes, that seems like a bug to me. I submitted it
to Microsoft as a Vista SP1 bug. We'll see if they do anything about it.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20
 

Similar threads

S
Suspicious activity on my laptop
Replies
0
Views
140
Saurabh_3601
S
M
Got Hit By A Torjan With UAC Bypass
Replies
0
Views
106
ManahMohamed Zakaria
M
N
Event ID 2269 (HTTP.SYS communication error)
Replies
0
Views
263
Nedim
N
P
McAfee improper business practices against Windows consumers?!
Replies
0
Views
98
P1:)
P
C
1Password just made password sharing a lot safer
Replies
0
Views
128
Chris Smith
C
Back
Top