How to Configure User Account Control…

How to Configure User Account Control on Windows Server 2016

April 11, 2026
Tutorials
Comment off

How to Configure Windows Server 2016 User Account Control

User Account Control (UAC) is a security feature in Windows Server 2016 that helps prevent unauthorized changes to the operating system by prompting for confirmation or credentials when administrative tasks are performed. UAC separates the standard user token from the administrator token, ensuring that even users logged on with administrative accounts run with limited privileges by default. This guide explains UAC configuration, Group Policy settings, and best practices for server environments.

How UAC Works on Windows Server 2016

When a standard user or administrator attempts an operation requiring elevation, UAC generates a consent prompt or credential prompt. On servers, it is common to configure UAC in “auto-elevate” mode for administrators to reduce prompt frequency while retaining protection. The key behaviors are:

Consent prompt: Administrator clicks Allow/Deny without entering credentials.
Credential prompt: User must supply administrator credentials.
Auto-elevate: Trusted system binaries (signed by Microsoft) elevate silently.

Step 1: Check Current UAC Configuration

Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" | Select-Object EnableLUA, ConsentPromptBehaviorAdmin, ConsentPromptBehaviorUser, PromptOnSecureDesktop

Step 2: Configure UAC Behavior via Registry

The main UAC registry values are under HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem:

EnableLUA: 1 = UAC enabled, 0 = disabled (not recommended).
ConsentPromptBehaviorAdmin: 0 = elevate without prompting, 1 = credentials prompt, 2 = consent prompt, 5 = consent prompt for non-Windows binaries.
ConsentPromptBehaviorUser: 0 = auto-deny, 1 = credentials prompt, 3 = credentials prompt (default).
PromptOnSecureDesktop: 1 = show prompt on secure desktop (recommended), 0 = standard desktop.

Configure recommended server settings (consent prompt for admins, secure desktop):

Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "EnableLUA" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "ConsentPromptBehaviorAdmin" -Value 2 -Type DWord
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "ConsentPromptBehaviorUser" -Value 3 -Type DWord
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "PromptOnSecureDesktop" -Value 1 -Type DWord

Step 3: Configure UAC via Group Policy

UAC Group Policy settings are at:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Key GPO settings:

“User Account Control: Run all administrators in Admin Approval Mode” — Enabled
“User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode” — Prompt for consent for non-Windows binaries
“User Account Control: Behavior of the elevation prompt for standard users” — Prompt for credentials
“User Account Control: Switch to the secure desktop when prompting for elevation” — Enabled
“User Account Control: Detect application installations and prompt for elevation” — Enabled

Step 4: Enable Virtualization for Legacy Applications

UAC File and Registry Virtualization redirects legacy app writes from protected locations to per-user locations. Keep this enabled for application compatibility:

Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "EnableVirtualization" -Value 1 -Type DWord

Step 5: Configure Admin Approval Mode for Built-in Administrator

The built-in Administrator account bypasses UAC by default. Enable Admin Approval Mode for it:

Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "FilterAdministratorToken" -Value 1 -Type DWord

Step 6: Configure Application Manifest for Elevation

For custom applications, the application manifest specifies the required privilege level. To check an executable’s manifest:

mt.exe -inputresource:C:ToolsMyApp.exe;#1 -out:manifest.xml
Get-Content manifest.xml | Select-String -Pattern "requestedExecutionLevel"

Step 7: Audit UAC Events

UAC elevation events are logged in the Security event log. Enable auditing for privilege use:

auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

View UAC-related events (Event ID 4688 = process creation, 4672 = special privileges assigned):

Get-WinEvent -LogName Security | Where-Object {$_.Id -in @(4688, 4672, 4648)} | Select-Object TimeCreated, Id, Message | Select-Object -First 20

Step 8: UAC for Remote Management

By default, remote connections using local administrator accounts get a filtered token (UAC over network). To allow full admin token for local accounts over network (not recommended for domain accounts):

Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "LocalAccountTokenFilterPolicy" -Value 1 -Type DWord

Summary

User Account Control on Windows Server 2016 is an important defense-in-depth control that limits the blast radius of compromised accounts by requiring explicit consent for privileged operations. Proper UAC configuration — combined with the principle of least privilege, audit logging, and Group Policy enforcement — significantly reduces the risk of privilege escalation attacks in your server environment.