Article ID: 942817 - Last Review: November 26, 2007 - Revision: 1.1

How to change the Remote UAC LocalAccountTokenFilterPolicy registry setting in a Windows Vista image

View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows registry

On This Page

Expand all | Collapse all

INTRODUCTION

This article describes how to change the settings for the Remote User Account Control (UAC) LocalAccountTokenFilterPolicy registry entry in a Windows Vista image. The LocalAccountTokenFilterPolicy setting affects how administrator credentials are applied to remotely administer the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
927832  (http://support.microsoft.com/kb/927832/ ) The "Add" and "Remove" commands on the Drivers tab are unavailable on a remote Windows Vista-based print server
Back to the top

MORE INFORMATION

Use any of the following methods to change the settings for the LocalAccountTokenFilterPolicy registry entry in a Windows Vista image.

Note These methods can be modified to change other registry settings. However, some of these methods may not work for all registry settings. Some registry settings may require additional steps. For example, this article does not describe how to make per-user registry changes during deployment.
Back to the top

Method 1: Use Audit mode to edit the registry before you use Sysprep on the image

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Start the computer in Audit mode. To do this, press Ctrl+Shift+F3 at the Windows Welcome screen.
  2. Follow these steps to manually edit the registry:
    1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER.
    5. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. Exit Registry Editor.
  3. After you configure the Windows installation, use sysprep /generalize /oobe to reseal the image for deployment.

    Note You may only use Sysprep to reseal an image three times. For more information about how to use images to deploy Windows, see the Windows Automated Installation Kit (WAIK) documentation.
Back to the top

Method 2: Edit the registry automatically during an unattended installation

Create an Unattended answer file (Unattend.xml) for unattended installation. This file uses the REG ADD command to edit the registry during the installation. Add the REG ADD command as a RunSynchronous command in the AuditUser pass or in the oobeSystem pass. Or, add the REG ADD command as a FirstLogonCommand in the oobeSystem pass. For example, the REG ADD command line may resemble the following:
 cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
You can also use the REG IMPORT command. However, the .reg file that is to be imported must be available on the system when the command is run. You can use the $oem$ functionality to put the file on drive C.

The REG IMPORT command line may resemble the following: 
Cmd /c reg import c:\test.reg
For more information, see the WAIK documentation.

Note The AuditUser pass, the oobeSystem pass, and the FirstLogonCommand pass run at elevated levels. Commands that are scripted during these sections of the unattended installation are run by using full administrative credentials.

Examples

Note The following sample Unattend.xml files are specific to an x86-based architecture. Unattend.xml files must be prepared for the correct architecture.

In the following example, the REG ADD command is used as a RunSynchronous command in the AuditUser pass: 

<?xml version="1.0" encoding="utf-8"?>

<unattend xmlns="urn:schemas-microsoft-com:unattend">

    <settings pass="auditUser">

        <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

            <RunSynchronous>

                <RunSynchronousCommand wcm:action="add">

                    <Path>cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f</Path>

                    <Order>1</Order>

                    <Description>ChangeLocalAccountTokenFilterPolicy</Description>

                </RunSynchronousCommand>

            </RunSynchronous>

        </component>

    </settings>

    <cpi:offlineImage cpi:source="wim:c:/vista_rtm_media/x86/sources/install.wim#Windows Vista ULTIMATE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />

</unattend>

#############################################################################
In the following example, the REG ADD command is used as a FirstLogonCommand in the oobeSystem pass: 
  

<?xml version="1.0" encoding="utf-8"?>

<unattend xmlns="urn:schemas-microsoft-com:unattend">

    <settings pass="oobeSystem">

        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

            <FirstLogonCommands>

                <SynchronousCommand wcm:action="add">

                    <CommandLine>cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 00000001 /f </CommandLine>

                    <Description>ChangeLocalAccountTokenFilterPolicy</Description>

                    <Order>1</Order>

                </SynchronousCommand>

            </FirstLogonCommands>

        </component>

    </settings>

    <cpi:offlineImage cpi:source="wim:c:/vista_rtm_media/x86/sources/install.wim#Windows Vista ULTIMATE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />

</unattend>
The following shows the contents of a sample registry file: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"LocalAccountTokenFilterPolicy"=dword:00000001
Note The <description> sections of these examples can contain spaces. For example, a <description> section may appear as follows:
<description>Merge New Local AccountTokenFilterPolicy Reg Key</description>
Back to the top

Method 3: Edit the registry of a preexisting offline image

Microsoft Knowledge Base article 941200 describes how to edit the registry of an offline image. You can use this article as a guide for editing the registry of previously captured deployment images. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
941200  (http://support.microsoft.com/kb/941200/ ) How to insert test-signed drivers into an offline image of x64-based and x86-based versions of Windows Server 2008 or Windows Vista
Back to the top
APPLIES TO
  • Windows Vista Ultimate
  • Windows Vista Enterprise
  • Windows Vista Business
  • Windows Vista Home Premium
  • Windows Vista Home Basic
  • Windows Vista Starter
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Business 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
Back to the top
Keywords: 
kbhowto kbinfo kbexpertiseadvanced KB942817
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations