UAC (User Account Control) is a Microsoft Windows feature for controlling the launching & execution of applications. However, the UAC system can be very cumbersome when administering Windows machines.

Scenario: Local account is member of “Administrators” but not the built-in Administrator account [Administrator account is disabled].

– Can change “Always notify”, “Never notify” settings of the UAC system
– At the “Default” third notch, cmd.exe launches in a regular under-priviledged context
– You have to invoke or run as Administrator to execute anything
– This makes working in Powershell quite difficult
– Example: You will not be able to import certain modules using “Import-Module”
– At lowest “Never notify” setting, cmd.exe launches as Administrator
– THIS DEFEATS THE PURPOSE OF USING THE UAC MECHANISM because you are essentially disabling UAC
– Machine has to restart each time UAC settings are changed
– Restarting a remote machine is tedious & always risks the machine not powering up or not regaining connection because changes to firewall, network adapter settings & so forth can occur

Conclusion
– If you choose to use UAC, leave the local built-in Administrator enabled & passworded.
– If you choose to not use UAC [by lowering the settings], you may use a custom account that is a “Member of” the “Administrators” group.
– If you choose to use a custom account [that is in the Administrators group], then you decide to log on with a domain account, you may still need to invoke the Administrator account to administer the local machine.
– You must only disable the local Administrator account if you are a seasoned professional with hyper-sensitivity to usage of the Administrator account because you have very first hand information that the most privileged, Administrator, is threatened.
– Because of reasons herein and from a systems administrator stance, you simply must keep the local built-in Administrator account enabled & passworded; any other local account is simply meaningless.

As of this composition, this was tested on Windows 7 Service Pack 1 only.

Advertisements