All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4

User Account Control—

From Vista to Windows 7

This chapter ties into what you learned from

n All-In-One:Chapter 16
n Managing and Troubleshooting: Chapter 16
n Meyers’ Guide to 702: Chapter 7

ch04.indd 89 7/18/11 4:02:17 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

90

W hen picking the poster child for the “327 Reasons We Hated Vista” list, I’ll bet
most folks put Vista’s User Account Control (UAC) at the very top. Vista’s UAC
manifested as a pop-up dialog box that seemed to appear every time you tried to do
anything on a Windows Vista system (Figure 4-1).

Figure 4-1 
UAC in action.
Arrgh!

It’s too bad that UAC got such a bad rap. Not only is UAC an important security
update, but it is also a common feature in both Mac OS and Linux/Unix. Figure 4-2
shows the equivalent feature on a Mac.

Figure 4-2 
UAC equivalent
on a Mac

If every other major operating system uses something like UAC, why was Microsoft
slammed so hard when they unveiled UAC in Windows Vista? The reason is simple:
Windows users are spoiled rotten, and, until UAC came along, the vast majority of users
had no idea how risky their computing behavior was.
The problem started years ago when Microsoft created the powerful NT file system
(NTFS). NTFS uses robust user accounts and enables fine control over how users access
files and folders—but at a cost: NTFS in its pure form is somewhat complicated. To share
a folder, you need to make sure the person accessing that folder has a user account and
that you’ve configured the NTFS permissions to give that user the permissions needed
to do whatever he or she wants to do (Figure 4-3).

ch04.indd 90 7/18/11 4:02:17 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

91

Figure 4-3 
Typically
confusing settings
for NTFS
permissions

User accounts have always been a bit of a challenge. The only account that can truly
do anything on a Windows system is the Administrator. Sure, you can configure a system
with groups and assign NTFS permissions to those groups—and this is commonly done
on large networks with a full-time IT staff—but what about small offices and home net-
works? These users almost never have the skill sets to deal with the complexities of users
and groups, which often results in systems where the user accounts are all assigned
Administrator privileges by default—and that’s when it gets dangerous (Figure 4-4).
This chapter discusses the importance of User Account Control and examines the
changes made to it for Windows 7. I’ll also explain how to configure UAC to your
desired security level.

ch04.indd 91 7/18/11 4:02:17 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

92

Figure 4-4  The danger of Administrator privileges in the wrong hands!

UAC in Windows Vista

User Account Control enables users to know when they are about to do something
that has serious consequences. The Microsoft TechNet library (“Understanding and
Configuring User Account Control in Windows Vista”) provides examples of common
actions that require Administrator privileges:

l Installing and uninstalling applications

l Installing a driver for a device (e.g., a digital camera driver)
l Installing Windows Updates
l Configuring Parental Controls
l Installing an ActiveX control
l Adjusting Windows Firewall settings

ch04.indd 92 7/18/11 4:02:17 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

93
l Changing a user’s account type
l Modifying UAC settings in the Security Policy Editor snap-in (SECPOL.MSC)
l Configuring Remote Desktop access
l Adding or removing a user account
l Coping or moving files into the Program Files or Windows directory
l Scheduling Automated Tasks
l Restoring system backed-up files
l Configuring Automatic Updates
l Browsing to another user’s directory

Before Vista, Microsoft invented the idea of the Power Users group to give users
almost all of the power of an Administrator account (to handle most of the situations
just described) without actually giving users the full power of the account. Assigning a
user to the Power Users group still required someone who knew how to do this, how-
ever, so most folks at the small office/home level simply ignored the Power Users group
(Figure 4-5).

Figure 4-5  Power Users group—almost never used at the small office/home level

ch04.indd 93 7/18/11 4:02:17 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

94
In Windows XP, Microsoft caved into the idea of making everyone an Administrator.
Whenever you made a new account via the User Accounts Control Panel applet
(Figure 4-6), you had a choice between Administrator (default) and Limited (User)
accounts.

Figure 4-6  Creating a new user in XP

Clearly, Microsoft needed a better method to prevent people from running programs
that they should not run. If users have the correct privileges, however—or the ability to
“escalate” their privileges to that of an Administrator—then they should be able to do
what they need to do as simply as possible. Microsoft needed to make the following
changes:

l The idea of using an Administrator account for daily use needed to go away.
l Any level of account should be able to do anything as easily as possible.
l If a regular account wants to do something that requires Administrator privi-
leges, the user of the regular account will need to enter the Administrator
password.
l If a user with Administrator privileges wants to run something that requires
Administrator privileges, the user will not have to reenter his or her password,

ch04.indd 94 7/18/11 4:02:17 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

95
but the user will have to respond to an “Are you sure?”-type dialog so he or she
appreciates the gravity of the action—thus, the infamous UAC dialog box.

UAC was just one part of an overall strategy to limit the number of Administrator
accounts on a system. The introduction of UAC coincided with two major changes in the
way new accounts were created. First, you only created an Administrator account dur-
ing the Windows installation process (normally). Windows disabled the Administrator
account by default. (You could also add regular users during the installation process.)
Second, all other accounts were plain, Standard user accounts by default (Figure 4-7),
simplifying your choices. You could still use the old Windows NT/2000/XP groups
(Power Users, Users, Guests, etc.), but you needed to dig deep into the User Accounts
Control Panel applet to access them.

Note  All references to Control Panel applets in Windows Vista assume you
are using Classic View.

Figure 4-7  Creating a Standard user in Vista

ch04.indd 95 7/18/11 4:02:18 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

96
How UAC Works
UAC works for both Standard user accounts and Administrator accounts. If a Standard
user attempts to do something that requires Administrator privileges, he or she sees a
UAC dialog box that prompts for the Administrator password (Figure 4-8).

Figure 4-8 
Prompting for a
password in Vista

If a user with Administrator privileges attempts to do something that requires

Administrator privileges, a simpler UAC dialog box appears, like the one shown in
Figure 4-9.

Figure 4-9 
Classic UAC
prompt

Tech Tip  The official name for the UAC dialog box is the “UAC consent
prompt.” When the UAC consent prompt appears in Vista, the rest of the
Desktop darkens and you cannot take any other action until you respond to
the consent prompt.

ch04.indd 96 7/18/11 4:02:19 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

97
Interestingly, Vista has not one but four different UAC prompts, depending on the
program/feature you wish to run:

UAC Classification Type of Program

Blocked program A program that has been blocked by a security policy
Unverified An unknown third-party program
Verified A digitally signed, third-party program or noncore OS program
Published by Vista A program that is a core part of the operating system

Blocked programs generate a scary-looking, red-bannered dialog like the one shown
in Figure 4-10. Note the only button you can click is Close.

Figure 4-10 
Blocked program

Unverified programs lack any form of certificate to validate. In this case, you get a
yellow-bannered dialog box warning you the application is unsigned and giving you
two options: allow the program to run (Yes) or not (No). See Figure 4-11 for an exam-
ple of this.

Figure 4-11 
Unverified
program

ch04.indd 97 7/18/11 4:02:19 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

98
Verified programs aren’t part of the core of Vista and are usually written by third-
parties. These programs do have valid, verified certificates. You can identify the dialog
box by its gray-blue banner (Figure 4-12).

Figure 4-12 
Verified program

Published by Vista programs are written as part of the core of Vista and show up with
a teal-bannered dialog (Figure 4-13).

Figure 4-13 
Published by Vista

UAC uses small shield icons to warn you ahead of time that it will prompt you
before certain tasks, as shown in Figure 4-14. Microsoft updated this somewhat redun-
dant feature in Windows 7, as you’ll soon see.
UAC gives users running a program an opportunity to consider their actions before
they move forward. It’s a good thing, but spoiled Windows users aren’t accustomed to
something that makes them consider their actions. As a result, one of the first things
everyone learned to do when Vista came out was how to turn off UAC.

ch04.indd 98 7/18/11 4:02:19 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

99

Figure 4-14  Shield icons in the Control Panel

How to Turn Off UAC

You can turn off UAC in a number of ways in Windows Vista. Here are the two most
common ways:

1. In the User Accounts Control Panel applet, you’ll see an option to Turn User
Account Control on or off (Figure 4-15). Select this option and uncheck the
checkbox to turn UAC off. Check the checkbox to turn it on again.

Figure 4-15  Turn User Account Control on or off

ch04.indd 99 7/18/11 4:02:19 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

100
2. Open up the System Configuration utility (MSCONFIG) and select Disable UAC,
as shown in Figure 4-16. You’ll have to reboot for the changes to take effect.
Note you can also turn on UAC from the System Configuration utility.

Figure 4-16  Disabling UAC in the System Configuration utility

UAC in Windows Vista worked well, but it startled users. Suddenly, users had to deal
with UAC, and they didn’t like that. Most users simply turned UAC off and added it to
the reasons to not like Windows Vista.

UAC in Windows 7
Microsoft may be a huge company, but it still knows how to react when its customers
speak out about features they don’t like. Windows 7 unveiled a more refined, less “in-
your-face” UAC that makes the feature much easier to use.

Note  All references to Control Panel applets in Windows 7 assume you are
using the Small Icon view.

Microsoft changed UAC with Windows 7, enabling you to adjust the consent form
appearance to four different personal preference levels.

ch04.indd 100 7/18/11 4:02:19 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

101
A More Granular UAC
Microsoft did some research on why UAC drove users nuts, concluding that the prob-
lem wasn’t UAC itself but the “I’m constantly in your face or you can turn me off and
you get no help at all” aspect. To make UAC less aggressive, Microsoft introduced four
UAC levels. To see these levels, go to the User Accounts applet and select Change User
Account Control settings, as shown in Figure 4-17. When you select this option, you see
the dialog in Figure 4-18.

Figure 4-17  Change User Account Control settings

In Figure 4-18, you can see a slider with four levels. The top level (Always notify)
means you want UAC to work exactly as it does in Vista, displaying the aggressive con-
sent form every time you do anything that typically requires Administrator access. The
bottom option (Never notify) turns off UAC. The two levels in the middle are new and
are very similar. Both of them do the following:

l Do not notify me when I make changes.

l Notify me only when programs try to makes changes.

The only difference is in how they show the change. The second-from-top level will
display the typical consent form, but only when programs try to make changes. The
third-from-top level displays a consent form, but where the normal consent form dims
your Desktop and doesn’t allow you to do anything but address the form, this consent
form just pops up like a normal dialog box.

Exam Tip  Make sure you know what each of the four UAC levels does.

ch04.indd 101 7/18/11 4:02:20 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

102

Figure 4-18  Four levels of UAC

Program Changes vs. Changes I Make

So what’s the difference between a program making a change and you making a change?
Take a look at Figure 4-19. In this case, Windows 7 is set to the second-from-top option.
A program (the very safe and, judging by the color of the banner, verified) Adobe
Download Manager is attempting to install a feature into Internet Explorer. Because
this is a program trying to make changes, the UAC consent form appears and darkens
the Desktop.

Figure 4-19 
Darkened UAC

ch04.indd 102 7/18/11 4:02:20 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

103
If you lower the UAC to the third-from-top option, you still see a consent form, but
now it acts like a typical dialog (Figure 4-20).

Figure 4-20 
Non-darkened
UAC

Exam Tip  The default behavior for UAC in Windows 7 is the second-from-
top option, which results in a screen similar to Figure 4-19.

A program such as the Adobe program described earlier is very different from a feature
you want to change. Notice the shields, as shown earlier in Figure 4-17.
Each of these options isn’t a program—each is merely a feature built into Windows.
Those shields tell you that clicking the feature next to a shield will require Administrator
privileges. If you were to pick the Vista-strength UAC option, you’d get a UAC consent
prompt when you click one of those features. If you set UAC to any of the three lower
settings, however, you’d go straight to that feature without any form of UAC consent
prompt. Of course, this isn’t true if you don’t have Administrator privileges. If you’re a
Standard user, you’ll still be prompted for a password, just as in Vista.
Overall, the improvements to UAC in Windows 7 show that it has a place on every-
one’s computer. UAC might cause an occasional surprise or irritation, but that one more
“Are you sure?” could mean the difference between safe and unsafe computing. So go
ahead, turn UAC back on in Windows 7! UAC is well worth the small inconvenience.

Chapter Review
Questions
1. Which file system uses permissions to secure files and folders?
a. FAT16
b. FAT32
c. UAC
d. NTFS

ch04.indd 103 7/18/11 4:02:20 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4 A

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

104
2. In Windows XP, what was the default account type?
a. Administrator
b. Power User
c. Limited User
d. Guest
3. What are some of the purposes of UAC? (Select two.)
a. To alert users who are about to do something that has serious consequences
b. To secure files and folders from other users
c. To give Standard users more power without needing to make them
Administrators
d. To replace Windows Defender
4. Which of the following UAC levels are available in Windows Vista?
a. Always on; Unverified programs only, Off
b. On, Off
c. Always on, Notify when I make changes, Notify when programs make
changes, Off
d. None; UAC was not implemented until Windows 7.
5. Besides Control Panel, which utility is used to turn UAC on and off?
a. System Configuration utility (MSCONFIG)
b. Windows IP Configuration utility (IPCONFIG)
c. System Information utility (MSINFO32)
d. Microsoft Security Essentials utility (MSASCUI)
6. In Windows 7, how do the two middle UAC levels differ?
a. One creates a prompt for verified programs; the other creates a prompt for
unverified programs.
b. One uses a consent prompt that blocks all other actions; the other uses a
consent prompt that does not block other actions.
c. One creates a prompt that requires a password; the other creates a prompt
that does not require a password.
d. One uses a prompt for Standard users only; the other uses a prompt for all
users.

ch04.indd 104 7/18/11 4:02:20 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Chapter 4:  User Account Control—From Vista to Windows 7

105
7. Windows uses which symbol to signify an action that requires Administrator
privileges?
a. Arrow
b. Window
c. Compass
d. Shield
8. Which of the following are actions that require Administrative privileges?
(Select two.)
a. Installing applications
b. Adjusting any settings in Control Panel
c. Scheduling Automated Tasks
d. Downloading files from the Internet
9. What is a Blocked program?
a. A program that has been uninstalled
b. A program that requires an Administrator password
c. A program that has been blocked by a security policy
d. A program that is incompatible with Windows
10. In Windows 7, what is the only time that an Administrator account is the
default option when creating new user accounts?
a. During the Windows 7 installation
b. When logged in as an Administrator
c. When logged in as a Standard user
d. When UAC is turned to the Always on setting

Review Answers
1. D. NTFS is a file system that uses permissions to secure files and folders.
2. A. In Windows XP, the default account type was Administrator.
3. A, C. UAC is intended to both warn users that their actions might have serious
consequences and give more power to Standard users without needing to make
them Administrators.
4. B. In Windows Vista, you can turn UAC on or off.
5. A. You can use MSCONFIG to turn UAC on and off.
6. B. One level creates a prompt that darkens the screen and blocks other actions,
whereas the other uses a normal dialog that does not block any actions.

ch04.indd 105 7/18/11 4:02:20 PM

 All-In-One / Mike Meyers’ Guide to Supporting Windows® 7 for CompTIA A+® Certification / Meyers / 176392-9 / Chapter 4

Mike Meyers’ Guide to Supporting Windows 7 for CompTIA A+ Certification

106
7. D. A shield is used to designate any actions that require Administrator
privileges.
8. A, C. You need to be an Administrator to install applications and schedule
Automated Tasks.
9. C. A Blocked program is a program that has been blocked by a security policy.
10. A. The only time that the default account type is an Administrator account is
during installation.

ch04.indd 106 7/18/11 4:02:20 PM