Join Log in
Score:-1
Bob5421 avatar Server

Create a local Windows user with high integrity level

hm flag
Bob5421

A Windows user which is member of Administrators groups has 2 Access tokens:

  • One with medium integrity level.
  • One with high integrity level.

The first one is used by default. When an application needs an high integrity level, an UAC consent popup is displayed to the user. When the user accepts, he switches to his high integrity level access token.

The Administrator account has only one access token: The one with high integrity level. This is why he is never prompted by UAC constant popup.

Am I wrong?

Is there a way to create a "second" Administrator account? (I mean a user which has a single access token with high integrity level).

Thanks

99
1 + 3
uac
cn flag
Greg Askew
`The Administrator account has only one access token: The one with high integrity level. This is why he is never prompted by UAC constant popup. Am I wrong?` Yes, you are wrong.
1
Reply
Bob5421 avatar
hm flag
Bob5421
So why i do not have an uac consent popup with administrator ?
0
Reply
cn flag
Greg Askew
Why not just ask that as a question?
1
Reply
Score:0
Jevgenij Martynenko avatar Server
us flag
Jevgenij Martynenko

The behaviour of UAC prompt depends on the settings you have in your environment. Validating the settings can help explain the behavior you are having.

The list of settings can be found here: https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings

The Administrator account has only one access token: The one with high integrity level. This is why he is never prompted by UAC constant popup.

Am I wrong?

Nothing is hard-coded. Behavior for built-in administrator account is controlled via a setting User Account Control: Admin Approval Mode for the built-in Administrator account

Is there a way to create a "second" Administrator account? (I mean a user which has a single access token with high integrity level).

UAC behavior settings are configured on a machine level and can't be set per user.

+ 4
Bob5421 avatar
hm flag
Bob5421
Thanks but i do not understand one thing : how many access token has built-in administrator?
0
Reply
Jevgenij Martynenko avatar
us flag
Jevgenij Martynenko
``When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token`` Read more here: https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
0
Reply
Bob5421 avatar
hm flag
Bob5421
That’s true for a user member of admin group but i am not sure about built in administrator…
0
Reply
Jevgenij Martynenko avatar
us flag
Jevgenij Martynenko
If something is different for built-in admin, it should be mentioned in docs. Have you checked the setting mentioned in my answer? What is the value on affected machine where you only see built-in admin having one token?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.