Disable Windows UAC when installing software

Question

Is it possible to disable UAC when installing software but only for a custom set of users or a group?

Answer 1

That's not possible.

Now that's awfully disappointing, isn't it? Let me tell you more. Knowledge!

First up, there's no difference between installation programs and other admin-requiring programs as far as Windows is concerned. The elevation prompt is produced by a setting in the program's manifest, specifically requestedExecutionLevel.

The reason programs have to elevate is that important folders, files, and registry keys can only be modified by administrators; unelevated administrators are, for most purposes, normal users. You could try to adjust the ACLs on those objects to allow certain users to write to them, but there are some problems: you would almost certainly miss some (causing bizarre behavior), there would still be some OS functions that legitimately require membership in the Administrators group to use, and you'd have to whack the manifest of setup programs (invalidating their digital signatures) to make them not try to elevate. Sadness all around. Don't do that.

If you let non-administrative users write whatever they want to places intended for admins only, you're opening up a huge security hole. For instance, there's no practical difference between installing programs and modifying programs; a malicious user could adjust commonly-run programs to do bad things, then wait for an admin to run them. You seem to be really interested in the Power Users group, but it's only a small hop from there to administrator. Let's see what this Microsoft KB article has to say about the Power Users group:

To help prevent this problem, use these methods:

• Do not use the Power Users group.

UAC works by removing powerful group memberships and privileges from users' logon tokens. Tokens are, in essence, the identity under which a program runs. The Administrators group is always considered a powerful group, as are a handful of others like Backup Operators. The user's own identity (and therefore access controls that specifically refer to the user by name) are preserved.

There is currently no way to disable UAC's behavior for only some users. The built-in Administrator account, however, does by default run with full privileges (i.e. with UAC disabled). Other than that, though, you can't make exceptions in UAC.