-1

Is it possible to disable UAC when installing software but only for a custom set of users or a group?

Ben N
  • 40,045
  • 17
  • 140
  • 181
Abdelhafidh Belalia
  • 167
  • 3
  • 3
  • 12

1 Answers1

0

That's not possible.

Now that's awfully disappointing, isn't it? Let me tell you more. Knowledge!

First up, there's no difference between installation programs and other admin-requiring programs as far as Windows is concerned. The elevation prompt is produced by a setting in the program's manifest, specifically requestedExecutionLevel.

The reason programs have to elevate is that important folders, files, and registry keys can only be modified by administrators; unelevated administrators are, for most purposes, normal users. You could try to adjust the ACLs on those objects to allow certain users to write to them, but there are some problems: you would almost certainly miss some (causing bizarre behavior), there would still be some OS functions that legitimately require membership in the Administrators group to use, and you'd have to whack the manifest of setup programs (invalidating their digital signatures) to make them not try to elevate. Sadness all around. Don't do that.

If you let non-administrative users write whatever they want to places intended for admins only, you're opening up a huge security hole. For instance, there's no practical difference between installing programs and modifying programs; a malicious user could adjust commonly-run programs to do bad things, then wait for an admin to run them. You seem to be really interested in the Power Users group, but it's only a small hop from there to administrator. Let's see what this Microsoft KB article has to say about the Power Users group:

To help prevent this problem, use these methods:

  • Do not use the Power Users group.

UAC works by removing powerful group memberships and privileges from users' logon tokens. Tokens are, in essence, the identity under which a program runs. The Administrators group is always considered a powerful group, as are a handful of others like Backup Operators. The user's own identity (and therefore access controls that specifically refer to the user by name) are preserved.

There is currently no way to disable UAC's behavior for only some users. The built-in Administrator account, however, does by default run with full privileges (i.e. with UAC disabled). Other than that, though, you can't make exceptions in UAC.

Ben N
  • 40,045
  • 17
  • 140
  • 181
  • okay i got you,but i need to give a specified user the rights to install software without giving him admin access, i have given him read&write privileges in both C: drive and the registry but uac still asking for the Administrator password. any advice ? – Abdelhafidh Belalia Mar 06 '16 at 21:39
  • @AbdelhafidhBelalia You can't do that. (Well, not without whacking the program's manifest, but that would be a pain.) There's no difference between somebody who can write anywhere and an administrator. If you trust him to read and write anything, you trust him to administer your machine. – Ben N Mar 06 '16 at 21:40
  • that user won't be able to read and write anything, only the necessary places to install software, i think that had been done in previous versions of windows using : `Power Users` Group but not working in new version. please read the Powers Users part [link](https://technet.microsoft.com/en-us/library/cc771990.aspx) – Abdelhafidh Belalia Mar 06 '16 at 21:51
  • @AbdelhafidhBelalia And [Power Users were administrators](https://technet.microsoft.com/en-us/magazine/hh824683.aspx). Once you give someone the power to install abritrary software, they're admin on your machine. – Ben N Mar 06 '16 at 21:52
  • what about that [link](http://superuser.com/questions/879449/how-do-i-allow-a-standard-user-to-install-programs) and do you know any user group that can install softwares else Administrators ? – Abdelhafidh Belalia Mar 06 '16 at 21:58
  • @AbdelhafidhBelalia I wouldn't be surprised if Backup Operators could do it, but [they're effectively admins too](http://fleexlab.blogspot.com/2014/12/why-server-operators-and-backup.html) (article on my personal blog). The accepted answer on that question adds the user to the Power Users group, **which is equivalent to Administrator**. How about installing a virtualization program and letting this person do whatever they want inside a VM? – Ben N Mar 06 '16 at 22:02
  • If the user frequently needs to install software, then they should be an administrator. This is what that user type is for. Attempting to hack a custom solution is very unlikely to work, and will harm the stability of the system. – user1751825 Mar 06 '16 at 22:07
  • well, i think Power Users group would be okay even if it's similar to Administrators but sure they are not the same, if they are the same so why have a duplicated group. does anybody know how to enable Powers Users group for Windows Server 2012 to work like it done in the previous versions of windows ? – Abdelhafidh Belalia Mar 06 '16 at 22:17
  • @AbdelhafidhBelalia If you read the article I linked, you'll find that Power Users was invented for compatibility reasons. It isn't explicitly the same as Administrators, but Power Users can easily become administrators. The Power Users group should not be used anymore. – Ben N Mar 06 '16 at 22:39