Flaw in UAC/User Accounts

Hi All!!

Upon making a Limited User account while making a How-To guide for Vista,
stumbled upon this flaw.

A Limited User is able to make an Aministrator User. Therefore bypassing the
Parental Controls and safety regarding the whole reason for making a Limited
User.

A Limited User should have just house permissions....Limited.

I am not sure if blocking access to the control panel applet/MSC or control
useraccounts applet/MSC would remedy the probem. Hopefully MS will address
and fix this issue before the release of SP1, or make a HotFix for it and put
it on their Update Server.


----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://windowshelp.microsoft.com/com...unts_passwords

What? How? Sounds like bull to me.

--
- It's always Microsoft's fault no matter what your problem is.

McFingers

What you are describing is not possible in Vista?

If you are logged on with a Standard account and attempt to access any part
of Control Panel/User Accounts where you can create a new account or even
change a current account, you must elevate that process using an
administrator account credentials.

There are only 2 settings possible for a Standard account in Vista when
starting a process that requires elevation to administrator privileges.
1. Prompt for administrator privileges where an administrator account and
password must be entered.
2. Deny any elevation.

Even if UAC is turned off and you try to create or change a user account,
(or any other task that requires administrator privileges) you may actually
be able to go through the process, but the changes will silently fail to
take effect. A new administrator user account will not be created and any
changes to any current account (such as changing a standard user to an
administrator account) will fail to take effect.



--

Ronnie Vernon
Microsoft MVP
Windows Shell/User


"McFingers" <McFingers@discussions.microsoft.com> wrote in message
news:BE022208-01FB-4D91-B3BE-112CE0D70007@microsoft.com...
> Hi All!!
>
> Upon making a Limited User account while making a How-To guide for Vista,
> stumbled upon this flaw.
>
> A Limited User is able to make an Aministrator User. Therefore bypassing
> the
> Parental Controls and safety regarding the whole reason for making a
> Limited
> User.
>
> A Limited User should have just house permissions....Limited.
>
> I am not sure if blocking access to the control panel applet/MSC or
> control
> useraccounts applet/MSC would remedy the probem. Hopefully MS will
> address
> and fix this issue before the release of SP1, or make a HotFix for it and
> put
> it on their Update Server.
>
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click the "I
> Agree" button in the message pane. If you do not see the button, follow
> this
> link to open the suggestion in the Microsoft Web-based Newsreader and then
> click "I Agree" in the message pane.
>
> http://windowshelp.microsoft.com/com...unts_passwords