Microsoft KB Archive/942817

= How to change the Remote UAC LocalAccountTokenFilterPolicy registry setting in a Windows Vista image =

Article ID: 942817

Article Last Modified on 11/26/2007

-

APPLIES TO


 * Windows Vista Ultimate
 * Windows Vista Enterprise
 * Windows Vista Business
 * Windows Vista Home Premium
 * Windows Vista Home Basic
 * Windows Vista Starter
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Business 64-bit Edition
 * Windows Vista Home Premium 64-bit Edition
 * Windows Vista Home Basic 64-bit Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article describes how to change the settings for the Remote User Account Control (UAC) LocalAccountTokenFilterPolicy registry entry in a Windows Vista image. The LocalAccountTokenFilterPolicy setting affects how administrator credentials are applied to remotely administer the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

927832 The &quot;Add&quot; and &quot;Remove&quot; commands on the Drivers tab are unavailable on a remote Windows Vista-based print server



MORE INFORMATION
Use any of the following methods to change the settings for the LocalAccountTokenFilterPolicy registry entry in a Windows Vista image.

Note These methods can be modified to change other registry settings. However, some of these methods may not work for all registry settings. Some registry settings may require additional steps. For example, this article does not describe how to make per-user registry changes during deployment.

Method 1: Use Audit mode to edit the registry before you use Sysprep on the image
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  Start the computer in Audit mode. To do this, press Ctrl+Shift+F3 at the Windows Welcome screen. Follow these steps to manually edit the registry:  Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

 On the Edit menu, point to New, and then click DWORD Value. Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER. Right-click LocalAccountTokenFilterPolicy, and then click Modify.</li> In the Value data box, type 1, and then click OK.</li> Exit Registry Editor.</li></ol> </li> After you configure the Windows installation, use sysprep /generalize /oobe to reseal the image for deployment.

Note You may only use Sysprep to reseal an image three times. For more information about how to use images to deploy Windows, see the Windows Automated Installation Kit (WAIK) documentation.</li></ol>

Method 2: Edit the registry automatically during an unattended installation
Create an Unattended answer file (Unattend.xml) for unattended installation. This file uses the REG ADD command to edit the registry during the installation. Add the REG ADD command as a RunSynchronous command in the AuditUser pass or in the oobeSystem pass. Or, add the REG ADD command as a FirstLogonCommand in the oobeSystem pass. For example, the REG ADD command line may resemble the following: <pre class="fixed_text"> cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f You can also use the REG IMPORT command. However, the .reg file that is to be imported must be available on the system when the command is run. You can use the $oem$ functionality to put the file on drive C.

The REG IMPORT command line may resemble the following: <pre class="fixed_text">Cmd /c reg import c:\test.reg For more information, see the WAIK documentation.

Note The AuditUser pass, the oobeSystem pass, and the FirstLogonCommand pass run at elevated levels. Commands that are scripted during these sections of the unattended installation are run by using full administrative credentials.

Examples
Note The following sample Unattend.xml files are specific to an x86-based architecture. Unattend.xml files must be prepared for the correct architecture.

In the following example, the REG ADD command is used as a RunSynchronous command in the AuditUser pass: <pre class="fixed_text"> <?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?>

<unattend xmlns=&quot;urn:schemas-microsoft-com:unattend&quot;>

<settings pass=&quot;auditUser&quot;>

<component name=&quot;Microsoft-Windows-Deployment&quot; processorArchitecture=&quot;x86&quot; publicKeyToken=&quot;31bf3856ad364e35&quot; language=&quot;neutral&quot; versionScope=&quot;nonSxS&quot; xmlns:wcm=&quot;http://schemas.microsoft.com/WMIConfig/2002/State&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;>

<RunSynchronous>

<RunSynchronousCommand wcm:action=&quot;add&quot;>

<Path>cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f</Path>

<Order>1</Order>

<Description>ChangeLocalAccountTokenFilterPolicy</Description>

</RunSynchronousCommand>

</RunSynchronous>

<cpi:offlineImage cpi:source=&quot;wim:c:/vista_rtm_media/x86/sources/install.wim#Windows Vista ULTIMATE&quot; xmlns:cpi=&quot;urn:schemas-microsoft-com:cpi&quot; />

In the following example, the REG ADD command is used as a FirstLogonCommand in the oobeSystem pass: <pre class="fixed_text">

<?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?>

<unattend xmlns=&quot;urn:schemas-microsoft-com:unattend&quot;>

<settings pass=&quot;oobeSystem&quot;>

<component name=&quot;Microsoft-Windows-Shell-Setup&quot; processorArchitecture=&quot;x86&quot; publicKeyToken=&quot;31bf3856ad364e35&quot; language=&quot;neutral&quot; versionScope=&quot;nonSxS&quot; xmlns:wcm=&quot;http://schemas.microsoft.com/WMIConfig/2002/State&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;>

<FirstLogonCommands>

<SynchronousCommand wcm:action=&quot;add&quot;>

<CommandLine>cmd /c reg add &quot;HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system&quot; /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 00000001 /f </CommandLine>

<Description>ChangeLocalAccountTokenFilterPolicy</Description>

<Order>1</Order>

</SynchronousCommand>

</FirstLogonCommands>

<cpi:offlineImage cpi:source=&quot;wim:c:/vista_rtm_media/x86/sources/install.wim#Windows Vista ULTIMATE&quot; xmlns:cpi=&quot;urn:schemas-microsoft-com:cpi&quot; />

The following shows the contents of a sample registry file: <pre class="fixed_text">Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] &quot;LocalAccountTokenFilterPolicy&quot;=dword:00000001

Note The sections of these examples can contain spaces. For example, a section may appear as follows:

Merge New Local AccountTokenFilterPolicy Reg Key

Method 3: Edit the registry of a preexisting offline image
Microsoft Knowledge Base article 941200 describes how to edit the registry of an offline image. You can use this article as a guide for editing the registry of previously captured deployment images. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

941200 How to insert test-signed drivers into an offline image of x64-based and x86-based versions of Windows Server 2008 or Windows Vista

Keywords: kbhowto kbinfo kbexpertiseadvanced KB942817

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.