Sunday, January 20, 2008

Disabling UAC

Tonight I'd just like to make some quick comments about people disabling Vista's User Account Control (UAC) feature. If you have been doing any research on Vista you've read people's complaints about UAC and the constant UAC elevation messages.

In an effort to minimize the messages and smooth the computing experience, many people have opted to disable the UAC feature:

Indeed, this may be a valid alternative for home users since home editions of Vista don't support configuration of UAC behaviors such as Admin Approval Mode, Elevation Prompt behavior or application installation behavior (see Microsoft's Windows User Account Control Step-by-Step Guide). But the decision to disable UAC should not be taken lightly - particularly in an enterprise environment.

Everyone must understand that Vista's UAC is much more than a set of prompts that irritatingly pop up at the most inopportune times. UAC is a vital part of Vista's architecture that touches many aspects of the system. When UAC is disabled, other Vista security features such as Registry Virtualization and Protected Mode for IE7 also stop functioning.

Another thing to consider is that Vista really was developed around the UAC functionality. It may not be so easy to anticipate how all of Vista's technologies will behave when UAC is not active. A case in point is the configuration of network printing. Philip Wiffen's Mind Circus blog points out that it's not possible to install a shared network printer when UAC is disabled -- Thankfully he also points us to a Microsoft hotfix to correct this.

My point is, think long and hard before disabling UAC. If it's the prompts that are giving you and your users grief, look into some of the UAC configuration options that can mitigate things a little. I'll provide more information about these in the future (but I've got a few other articles to write first).

No comments: