Quote:
Ah. I got my TLAs mixed up.
No you didn't. LUA and UAC are both names for the same feature. I think it was called LUA (limited user access) in development, and the release version of vista calls it UAC (use account control). But they're the same feature.
For the record, here's how it works:
- UAC (LUA) is turned on by default on a fresh installation of Vista.
- The UAC feature can only be turned off by someone with localmachine\administrator privileges. If that happens, it gets turned off globally for the machine (it's not a per-user setting).
- UAC can, if desired, also be enforced by group policy, so a machine joined to the domain could theoretically be prevented from turning this feature on or off.
- In terms of what UAC does for the security of the system, whether the logged-in user is "Localmachine\Administrator", "Domain\Administrator", "Localmachine\Joesixpack", or "Domain\Joesixpack" doesn't matter. It doesn't matter if the logged-in user has administrative privileges on the machine or not. UAC performs all of the same protections no matter what the privilege level of the current user is.
- The only difference made in UAC's performance depending on the user is this: If the user is an administrator-level user on that machine, then when UAC prompts for permission to let a program do something, it's just an OK button to click. If the user isn't already an admin, then it prompts for typed-in admin credentials before it will let the program past its block.
- Turning on UAC is not exactly the same as the difference between logging in as a normal user versus logging in as a machine administrator. Its main purpose is to allow you to be logged in as a machine administrator (thus getting the convenience of being logged in as admin), and yet still get the protections that you would have had if you were logged in as a normal user.
The jury is still out on whether or not it actually accomplishes that last task or not.
Previous Topic
Index
