• United States



by Elizabeth Montalbano, IDG News Service (New York Bureau)

Microsoft: Don’t Misunderstand UAC, Other Vista Features

May 19, 20084 mins
Access ControlIdentity Management SolutionsNetwork Security

Microsoft tried to explain some of Vista's most "misunderstood" features in a document posted to -- then removed from -- its Web site.

In its continued attempt to convince business customers to adopt Vista, Microsoft has outlined and tried to explain some of what it calls the OS’s most “misunderstood” features in a document posted to – then mysteriously removed from – its Web site this week.

In the document, “Five Misunderstood Features in Windows Vista,” Microsoft lists what it believes are five features of Vista that “cause confusion” and “slow Windows Vista adoption” for most users. The company identified User Account Control, Image Management, Display Driver Model, Windows Search and 64-bit architecture as features that are flummoxing IT professionals when they install Vista across desktops on a network. It offered tips for how to deal with common problems.

The document was posted to the Web site Friday morning; however, by the afternoon, the link was no longer working. It still came up in a Live Search of the Microsoft Web site, but the link provided there also was inactive.

Microsoft did not immediately respond to a request about the document Friday.

Businesses have been slow to adopt Vista since its enterprise introduction in late November 2006, and by now users have identified the features listed in the document as some of their biggest pain points.

One that has been especially problematic — and even spoofed in an Apple TV commercial — is User Account Control (UAC). UAC prevents users without administrative privileges from making unauthorized changes to a PC. But because of its settings, it can prevent even authorized users on the network from being able to access applications and features they should normally have access to. It does this through a series of screen prompts that ask the user to verify privileges, and it may require a user to type in a password to perform a task.

In its document, Microsoft said the feature has gotten a “bad rap” because it’s a “set of technologies” dispersed throughout the OS and designed to protect the system in a variety of ways, not just one feature that can be controlled in an isolated way.

Microsoft also designed UAC to “help nudge ISVs towards designing applications that function in Standard User mode,” one of two user privilege modes in UAC. The other is Local Administrator.

As it stands now, the prompts interrupt normal workflow, even in some mundane tasks, unless a user is set as Local Administrator. This is because the many third-party Windows applications that predate Vista weren’t developed to work with UAC’s “Standard User” designation, so they default to requiring Local Administrator rights, said Keith Brown, a network administrator for Gwinnett Medical Center in Lawrenceville, Georgia. Gwinnett is a not-for-profit medical network serving more than 700 physicians around the Atlanta area.

If a Standard User asks an application to perform a task that touches a part of the OS that the software says “should not be meddled with,” it will prompt the user and require a password to perform that task, he said. This is common, especially when someone tries to install software as a Standard User, Brown said.

“It’s an annoyance,” he said, which is why most IT administrators will turn off the feature when installing Vista across desktops, which defeats the purpose of Microsoft putting it in to protect the OS in the first place.

One way to get around UAC is to use third-party software, such as Privilege Manager from BeyondTrust, to set user privileges, Brown said. Microsoft even recommended BeyondTrust’s product to customers when the company, based in Portsmouth, N.H., came out with Privilege Manager 3.5 last August. That was the first version of the product designed to work with UAC.

John Moyer, CEO of BeyondTrust, said Privilege Manager lets network administrators configure in advance which applications can run or be installed on Vista machines on a network. It assigns the appropriate elevated privileges to Standard Users so they are not prompted even if third-party software does not recognize them as an authorized user of a task. “There is no interruption to the workflow,” he said.

Brown said that without Privilege Manager, UAC would probably be turned off for the 30 to 40 Vista desktops his company is testing in its information systems department. He said the incessant prompting from UAC can be turned off from within Vista, but it’s extremely time-consuming for the IT department to do that for each user on the network.

Gwinnett Medical Center eventually is planning a broader Vista deployment, but that “won’t be this year,” Brown added.