On Windows 7 can one make UAC on an admin account prompt for the password, just like a limited account?

I am one of the very few who likes the security of UAC and so I have the UAC set to "Always Notify" on my Admin account. But I would be even happier if the system would prompt me for a password, when notifying me.

I can get what I want by adding a second non-admin user and using that account.

But somehow it seems wasteful to have two accounts set up when I will always use the non-admin account day-to-day.

So I am wondering if there is any setting that would cause an Admin account to behave password-prompting-wise as a standard account?

Bill Rodman

Posted 2010-01-04T23:23:44.057

Reputation: 712

2Why do you want to have to type your password in? It's not more secure - applications can't interface with the UAC dialogues. – Phoshi – 2010-01-04T23:26:42.290

3Too easy to just hit OK. Entering a password adds a few moments of sober second thought. – Bill Rodman – 2010-01-04T23:53:46.963

Answers

I love UAC as well! (Well, love maybe to strong... I wish a few things were different, but I like it a lot!)

Anyway, to do what you want, simply launch Local Group Policy Editor (Run > gpedit.msc) and expand Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options Scroll to the bottom of the content window and look for User Account Control: Behavior of the elevation prompt for administrator in Admin Approval Mode and change it from Prompt for consent to Prompt for credentials or whatever settings you want.

alt text

There are a bunch of other UAC related options, Take a look - you may find something else you want to change!

William Hilsum

Posted 2010-01-04T23:23:44.057

Reputation: 111 572

@WilliamHilsum any luck with doing this on Home Editions? I really want to get this to work! Thanks in advance! – EGHDK – 2014-07-21T15:53:23.813

GodMode (what's next?) is another way to open the group policy editor (and a LOT more): create a new folder (e.g. on the desktop) and name it as follows: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} – None – 2010-01-04T23:41:56.033

3@Molly - It's not God Mode!... You can write ANYTHING, it is a GUID shortcut to all the tool tips from control panel. – William Hilsum – 2010-01-05T00:02:19.830

I am running Windows 7 Home Premium. Do I have a group policy editor? Can't seem to find it. By the way, GodMode is mega-cool! – Bill Rodman – 2010-01-05T00:08:54.730

i know, Wil, you can name it anything you want (before the dot), but GodMode sounds funny :) – None – 2010-01-05T00:17:39.193

@ Bill: the Local Group Policy editor (gpedit.msc) is not available in the Windows 7 Home Premium – None – 2010-01-05T00:20:23.480

@Bill: what you can try: exctract the file INSTALL.WIM from the Windows 7 DVD with Universal Extractor, if you find GPEDIT.MSC, copy the file to Windows\System32. – None – 2010-01-05T00:36:09.230

@Bill, try going in to control panel > administration tools > local security policy... then it should be in a similar path but start at security settings.... gpedit.msc basically takes a few things from a few places and makes it easier in one place. – William Hilsum – 2010-01-05T01:08:59.293

1@Wil: No "local security policy" either. @Molly: Tried your suggestion, with no luck. I was thinking of upgrading to "Professional", anyway, so this may be another reason to do it. I hate products with multiple tiers: huge support issues. Thanks for all your help. – Bill Rodman – 2010-01-05T12:58:31.307

@Bill - in all honestly, I have only used XP, Vista and 7 in the professional, enterprise or ultimate editions... I can usually support the others as they are so similar but I had no idea that this feature was not on the others. Please check back soon (really busy at the moment) and I will try to install home premium inside a VM and see if I can recommend anything. – William Hilsum – 2010-01-05T14:43:08.063

2You don't need the group policy editor to change this. It's a registry setting which you can change manually.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000001 – nhinkle – 2010-01-10T21:40:23.457

If you don't have Vista or Windows 7 Professional then, as others have noted, you won't have secpol.msc and so there is no interface for adjusting the relevant settings. However, you can still change them with the trusty old Registry Editor.

The relevant values may be found under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and are as follows.

ConsentPromptBehaviourAdmin: set this to 3 (prompt for credentials) or 1 (prompt for credentials on secure desktop)
ConsentPromptBehaviourUser: set this to 3 (prompt for credentials) or 1 (prompt for credentials on secure desktop)
PromptOnSecureDesktop: where the previous two values are set to 3, this will cause their prompts to appear on the secure desktop; if the previous two values are 1, then this setting is ignored.

Finally, here is Microsoft's own documentation for these keys: http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx#BKMK_RegistryKeys. IMO their documentation does not make explicit enough the effect of PromptOnSecureDesktop on the other two options that I list above. The key upsight is that, where the documentation says "prompt for {consent,credentials}" without explicitly saying "on the secure desktop", the value of PromptOnSecureDesktop determines whether the user is switched to the secure desktop for prompting.

Sam Morris

Posted 2010-01-04T23:23:44.057

Reputation: 598

1+1 Accepted answer didn't work for me on Windows 8.1 (gpedit.msc not found), but editing registry key worked. – Kip – 2014-12-03T18:24:28.540