DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 951016 - Last Review: September 23, 2011 - Revision: 4.0

On This Page

Introduction

User Account Control (UAC) is a new security component of Windows Vista. UAC enables users to perform common day-to-day tasks as non-administrators. These users are called "standard users" in Windows Vista. User accounts that are members of the local Administrators group will run most applications by using the principle of "least privilege." In this scenario, least-privileged users have rights that resemble the rights of a standard user account. However, when a member of the local Administrators group has to perform a task that requires administrator rights, Windows Vista automatically prompts the user for approval.

More information

How UAC remote restrictions work

To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

Local user accounts (Security Account Manager user account)

When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection by using the net use * \\remotecomputer\Share$ command, for example, they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.

Domain user accounts (Active Directory user account)

A user who has a domain user account logs on remotely to a Windows Vista computer. And, the domain user is a member of the Administrators group. In this case, the domain user will run with a full administrator access token on the remote computer, and UAC will not be in effect.

Note This behavior is not different from the behavior in Windows XP.

How to disable UAC remote restrictions

To have us disable UAC remote restrictions for you, go to the “Fix it for me” section. If you would rather disable UAC remote restrictions yourself, go to the “Let me fix it myself” section.

Fix it for me

To work around this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.

Fix this problem
Microsoft Fix it 50005


Note this wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Now go to the "Did this fix the problem?" section.

Let me fix it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
To disable UAC remote restrictions, follow these steps:
  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    1. On the Edit menu, point to New, and then click DWORD Value.
    2. Type LocalAccountTokenFilterPolicy, and then press ENTER.
  4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. Exit Registry Editor.
Now go to the "Did this fix the problem?" section.

Did this fix the problem?

Check whether the problem is fixed. If the problem is fixed, you are finished with this article. If the problem is not fixed, you can contact support (http://support.microsoft.com/contactus) .

UAC remote settings

The LocalAccountTokenFilterPolicy registry entry in the registry can have a value of 0 or of 1. These values change the behavior of the registry entry to the behavior that is described in the following table.
Collapse this tableExpand this table
ValueDescription
0 This value builds a filtered token. This is the default value. The administrator credentials are removed.
1This value builds an elevated token.

APPLIES TO
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
Keywords: 
kbmsifixme kbfixme kbtshoot kbexpertiseinter kbinfo KB951016
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support