-1

A Windows user which is member of Administrators groups has 2 Access tokens:

  • One with medium integrity level.
  • One with high integrity level.

The first one is used by default. When an application needs an high integrity level, an UAC consent popup is displayed to the user. When the user accepts, he switches to his high integrity level access token.

The Administrator account has only one access token: The one with high integrity level. This is why he is never prompted by UAC constant popup.

Am I wrong?

Is there a way to create a "second" Administrator account? (I mean a user which has a single access token with high integrity level).

Thanks

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Bob5421
  • 319
  • 3
  • 8
  • 16

1 Answers1

0

The behaviour of UAC prompt depends on the settings you have in your environment. Validating the settings can help explain the behavior you are having.

The list of settings can be found here: https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings

The Administrator account has only one access token: The one with high integrity level. This is why he is never prompted by UAC constant popup.

Am I wrong?

Nothing is hard-coded. Behavior for built-in administrator account is controlled via a setting User Account Control: Admin Approval Mode for the built-in Administrator account

Is there a way to create a "second" Administrator account? (I mean a user which has a single access token with high integrity level).

UAC behavior settings are configured on a machine level and can't be set per user.

J-M
  • 1,930
  • 1
  • 11
  • 17
  • Thanks but i do not understand one thing : how many access token has built-in administrator? – Bob5421 Feb 11 '23 at 13:43
  • ``When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token`` Read more here: https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works – J-M Feb 11 '23 at 14:01
  • That’s true for a user member of admin group but i am not sure about built in administrator… – Bob5421 Feb 11 '23 at 14:10
  • If something is different for built-in admin, it should be mentioned in docs. Have you checked the setting mentioned in my answer? What is the value on affected machine where you only see built-in admin having one token? – J-M Feb 11 '23 at 14:25