+1 on keeping UAC on. Disabling AAM is sufficient to remove the annoyances, UAC has real benefits.
My opinion concurs with Ben's. Just last week I was working with a vendor who claimed their application required Vista's User Access Control (UAC) needed to be turned off for the application to work. This was a VENDOR telling me about their product! Yet amazingly I figured out how to make it work with UAC....needless to say, they have since updated their documentation. Dave -----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, July 15, 2009 12:30 PM To: NT System Admin Issues Subject: Re: UAC--argh... On Wed, Jul 15, 2009 at 12:41 PM, Miller Bonnie L.<mille...@mukilteo.wednet.edu> wrote: > So, I've been trying REALLY hard to just get used to UAC with WS08 ... The following is my opinion and analysis. It differs significantly from the Microsoft party line. Disable admin approval mode (AAM) for all administrators. Keep UAC enabled. AAM is just a lot of smoke and mirrors. The right way to do things is to run as a "limited user" except when needed, and have a separate admin account for admin stuff. If you do that, you don't need AAM. Indeed, AAM makes things *worse*, because admins get so used to clicking dozens of prompts that they'll miss important prompts. However, Microsoft created a culture that expects to have admin rights. That includes many users, many programmers, many end-user customers, many of Microsoft's customers, and many ISVs. Simply saying "don't run as admin" wasn't working. I don't think it's likely that changing OOBE (out-of-box experience) to create separate accounts would help, either. People (or software) would just use the admin account for everything. So AAM was created. AAM is basically an attempt at letting a user have admin rights but not actually running with admin rights. The end result may or may not do anything to help lusers who insist on having admin rights all the time, but it just gets in the way of IT professionals who have been using separate admin accounts for years. I recommend keeping UAC enabled because it does have other benefits. Filesystem and registry virtualization needs UAC to work, and FS&R virtualization is (in my experience) the *only* actual improvement in Vista. UAC also lets Windows prompt for alternate credentials when an unprivileged user attempts a privileged operation. Thus an admin can provide privileged credentials when needed, without a full-blown separate logon. The above is my opinion and analysis. It differs significantly from the Microsoft party line. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
