How to prohibit standard users performing administrative tasks having typed administrative passwords?

2

In Windows 10, if a user on a standard account attempts to perform a task that requires administrative privileges, they are asked to type in a password of an administrative account, on behalf of which they may perform this task, provided they type in the password correctly.

Is there any way to prevent this behavior, that is, to prohibit standard users from performing administrative tasks and prevent them from being asked for an administrative password? So that they cannot perform administrative tasks no matter what, as long as they're logged into a standard account?

gaazkam

Posted 2016-12-05T02:43:20.140

Reputation: 583

In Linux, I can prohibit others from using su, so I doubt I'd be unable to do sth similar in Windows... – gaazkam – 2016-12-05T02:44:14.990

3Your regular users shouldn't know the admin passwords. – Journeyman Geek – 2016-12-05T03:17:05.297

@JourneymanGeek You are right of course, but despite that I still think in my special case this what I want to do is justified :) – gaazkam – 2016-12-05T03:37:57.973

There may be some sort of a shell tweak that hides the "Run as administrator" option – timotree – 2016-12-05T04:00:52.787

@timotree Won't help much :( Merely launching many apps (like System COnfiguration) or clicking many options in Control Panel tend to trigger this prompt for admin passwd, not only clicking on Run as administrator – gaazkam – 2016-12-05T04:07:46.510

I would definitely agree with @JourneymanGeek . This is much more of a personnel management or HR issue than it is a Systems Administrator problem. We are always glad to help whenever possible, but the real solution to this problem involves changing the admin passwords and letting standard users know that inappropriate behavior on the Windows systems won't be tolerated. The end-users wouldn't be happy with a Windows 10 machine configured to use kiosk mode.

– Run5k – 2016-12-05T05:46:38.723

1

It's possible on Windows 7 using secpol, see Hide User Account Control prompts for non-administrative users. This will Automatically deny elevation requests. I don't have a copy of Windows 10 to see if this works there as well.

– DavidPostill – 2016-12-05T22:32:14.313

@DavidPostill , I just double-checked and that group policy is available on a Windows 10 Pro machine, also. – Run5k – 2016-12-06T13:57:16.743

@Run5k Thanks. I will add this as an answer. – DavidPostill – 2016-12-06T14:18:03.823

Answers

1

Is there any way to prohibit standard users from performing administrative tasks?

and prevent them from being asked for an administrative password?

Yes this is possible using the Security Policy Editor (secpol).

See the instructions below.

Note:

  • Although the instructions are aimed at Windows 7 that particular group policy is also available on a Windows 10 Pro machine.

Hide User Account Control prompts for non-administrative users

Follow these steps to eliminate UAC prompts for standard users:

  • Click on the start menu, type "secpol.msc" and hit Enter.

  • When the "Local Security Policy" editor ("snap-in") opens, double-click on "Local Policies" -for those affecting this particular machine- and double-click on "Security Options".

  • Scroll down until you see a node labeled "User Account Control: Behavior of the Elevation Prompt for Standard Users" (careful, another policy starts with the same name, but actually affects computer administrators!) Double-click on it and the following dialog will open:

    Customize Windows 7 UAC prompts behavior for standard users

  • The default behavior for standard users, selected in the dropdown menu pictured above, is "Prompt for credentials": whenever elevated privileges are required, they'll need to select an administrator and enter its password in a UAC prompt to proceed with the action.

  • Click on the dropdown, and select the "Automatically deny elevation requests" option instead; click "OK" to apply the new setting: from this point on, standard users won't event get a UAC prompt when they attempt any task that needs administrative permissions.

Note that this setting takes effect immediately, so make sure that you and/or someone else does have the full administrator credentials, which will sooner or later be needed to logon to that computer. While this is a very secure setting, that eliminates possibilities even for those who have admin name and password, it can also become very impractical, especially for advanced "power" users, who'll find their computing experience quite frustrating! Be sure to see how you can also hide usernames and only show blank text boxes on the Windows 7 logon screen for an even safer computer.

Source Prevent standard users from getting the Windows 7 UAC / administrator password prompt

DavidPostill

Posted 2016-12-05T02:43:20.140

Reputation: 118 938

Asked: 2016-12-05T02:43:20.140

Viewed: 123 times

Active: 2016-12-06T14:29:30.373