====== Description of User Account Control and remote restrictions in Windows Vista ======

===== Introduction =====

User Account Control (UAC) is a new security component of Windows Vista. UAC enables users to perform common day-to-day tasks as non-administrators. These users are called standard users in Windows Vista. User accounts that are members of the local Administrators group will run most applications by using the principle of least privilege. In this scenario, least-privileged users have rights that resemble the rights of a standard user account. However, when a member of the local Administrators group has to perform a task that requires administrator rights, Windows Vista automatically prompts the user for approval.

===== How UAC remote restrictions work =====

To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against loopback attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

==== Local user accounts (Security Account Manager user account) ====

When a user who is a member of the local Administrators group on the target remote computer establishes a remote administrative connection by using the net use ''*\\remotecomputer\Share$'' command, for example, they won't connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.

==== Domain user accounts (Active Directory user account) ====

A user who has a domain user account logs on remotely to a Windows Vista computer. And, the domain user is a member of the Administrators group. In this case, the domain user will run with a full administrator access token on the remote computer, and UAC won't be in effect.

===== To disable UAC remote restrictions, follow these steps: =====

* Click Start, click Run, type regedit, and then press ENTER.
* Locate and then click the following registry subkey:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
* If the LocalAccountTokenFilterPolicy registry entry doesn't exist, follow these steps:
  * On the Edit menu, point to New, and then select DWORD Value.
  * Type LocalAccountTokenFilterPolicy, and then press ENTER.
* Right-click LocalAccountTokenFilterPolicy, and then select Modify.
* In the Value data box, type ''1'', and then select OK.
* Exit Registry Editor.

Acá hay más:
https://docs.facundoitest.space/doku.php?id=deshabilitar_uac_para_usuarios_remotos

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction