Privilege Escalation in Windows Vista

Windows Vista does not automatically assign Administrator privileges to users, even if the user is an administrator. When performing tasks which require administrator privileges, User Account Control (UAC) activates and prompts the user for permission. The process is then elevated.

However, one area where UAC does not prompt for elevation is network users, in a workgroup, logging in to a Windows Vista system with accounts that are administrators. Windows does not assign these network users with administrator privileges. This may cause compatibility problems as the classic behaviour is for network users to have their full privileges according to the account on the machine.

This can be reverted back to the classic behaviour as follows:

1. Open an elevated command prompt.

2. Select the following line and press Ctrl-C to copy:

   reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

3. Click the control menu in the top left corner of the Command Prompt window and choose Edit, and then Paste.

   The command will be pasted into the prompt.

4. Press Enter.

   The prompt should display The operation completed successfully.

5. Reboot the machine.

See Also

• http://support.microsoft.com/kb/947235

• http://support.microsoft.com/kb/947232