Credential Prompt Change in RC2
Hi, everyone. I'm Daniel Oliver, a program manager on the Windows Shell Team.
If you're running Windows Vista on a domain-joined machine, you may have noticed a small change between Windows Vista RC1 and RC2 when the UAC dialog box prompts for credentials in an OTS (over the shoulder) scenario. In RC2, only the empty Password Provider tile is enumerated by default. Some users thought this was a bug, and other users requested we revert to the previous behavior. In addition, many users wanted to know why we made this change. Please allow me to address these questions individually.
RC1 behavior
RC2 behavior
Is this a bug?
No, this is intentional. By default, when UAC prompts users for credentials, it should display the empty Password Provider tile. If you are able to validate your identity with additional (installed) credential providers, such as the Smart Card Provider, you will probably see additional tiles in the user list.
Is it possible to get the old default behavior back?
Yes, it is. The behavior is controlled by a Group Policy setting and can be configured using gpedit.msc. Once in the MMC snap-in, use the tree control to navigate to...
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> Enumerate administrator accounts on elevation
Enable this Group Policy setting.
Why did the UAC team make this change?
During enumeration of local machine administrators, the system must contact a domain controller (DC). While this enumeration occurred, an indeterminate progress bar appeared within the user list region. We received a large amount of feedback regarding the long period of time this progress bar took to disappear. We analyzed the problem in detail and found users experiencing unusually slow performance when the DC was unavailable or slow to respond. In order to place the dialog box in front of users as fast as possible, we changed the default behavior. Speed.
How do I change the domain field?
By default, the Password Provider will pre-append the domain (or machine name in the workgroup case) to serialized credentials. The uneditable string below the password field indicates the domain (or machine name) that will be used. To specify a different domain, it must be entered in the user name field. The correct format is domain\username or username@domain. The domain field will update automatically. This is the same convention used during logon.
How does this Group Policy setting function on workgroup machines?
Enumerate administrator accounts on elevation has a slightly different meaning on workgroup machines. By default (that is, the setting has been neither enabled nor disabled), the Password Provider will list all local administrators on the machine. When enabled or disabled, this policy behaves exactly the same as in the domain-joined scenario.
How does this Group Policy setting affect other credential providers?
The Microsoft Smart Card Provider is not affected at all by this change. We recommended credential providers written by ISVs respect the settings in Group Policy.
-- Daniel Oliver
Windows Shell Team
Comments
Anonymous
October 12, 2006
Why there's not an option to keep opened the Details (the arrow at the bottom of the UAC's window)? I'd like to see the details every times without click on Details button. ThanksAnonymous
October 13, 2006
Thanks for the feedback, scalo. We'll keep this suggestion in mind!Anonymous
October 19, 2006
What API does one call to copy a file and get these dialogs to prompt automatically (if needed)? For example, consider a program that copies a file into %Program Files%. Currently my file copy just fails. If I copy the same file using the Shell UI, I get the appropriate prompt. What copy API's can be used to get the same behavior as the shell?Anonymous
October 25, 2006
Hi Scott, In general, we recommend modifying your program to not require elevation. If you're authoring an administrative application, you will want to manifest it to require an administrator privileges. Mixed mode applications (applications exposing some functionality useful to standard users and some which is useful to members of the Users group)should re-factor the program into two parts - a standard user program and an administrative program. The administrator program will need to be manifested appropriately. For more information, refer to the section titled Admin Broker Model in the following document: http://www.microsoft.com/downloads/details.aspx?FamilyID=BA73B169-A648-49AF-BC5E-A2EEBB74C16B&displaylang=en Thanks!Anonymous
November 02, 2006
Scott, the shell API SHFileOperation() and IFileOperation have built in support for elevation. you can use these APIs and they will provide the UI to enable your users to elevate. As Daniel said we generally want to avoid the need to elevate so if you can use a solution that avoids this, for example using MSI to install your files you should do that first. ChrisAnonymous
December 15, 2006
I'm about to wipe my main work machine and install Vista RTM x64. Wish me luck. Sure, people @ MS wipeAnonymous
December 15, 2006
I'm about to wipe my main work machine and install Vista RTM x64. Wish me luck. Sure, people @ MS wipe