用户帐户控制User Account Control

适用于Applies to

  • Windows 10Windows 10
  • WindowsServer 2016Windows Server 2016

用户帐户控制 (UAC) 有助于防止恶意软件损坏电脑,并且有助于组织部署易于管理的桌面。User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. 借助 UAC,应用和任务将始终在非管理员帐户的安全上下文中运行,除非管理员专门授予管理员级别的访问系统权限。With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC 可阻止自动安装未经授权的应用并防止意外更改系统设置。UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.

UAC 允许所有用户使用标准用户帐户登录到他们的计算机。UAC allows all users to log on to their computers using a standard user account. 使用标准用户令牌启动的进程可能会使用授予标准用户的访问权限执行任务。Processes launched using a standard user token may perform tasks using access rights granted to a standard user. 例如,Windows 资源管理器会自动继承标准用户级别权限。For instance, Windows Explorer automatically inherits standard user level permissions. 此外,使用 Windows 资源管理器启动(例如,通过双击快捷方式)的任何应用也会使用标准用户权限组运行。Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. 许多应用(包括操作系统本身附带的应用)旨在通过此方式正常运行。Many apps, including those that are included with the operating system itself, are designed to work properly in this way.

其他应用(尤其是那些不是使用安全设置专门精心设计的应用)通常需要附加权限才能成功运行。Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. 这些类型的应用称为旧版应用。These types of apps are referred to as legacy apps. 此外,诸如安装新软件和更改 Windows 防火墙配置之类的操作需要比提供给标准用户帐户更多的权限。Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.

当应用需要使用比标准用户权限更多的权限运行时,UAC 可以将其他用户组还原为令牌。When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. 这使用户能够显式控制要对他们的电脑或设备进行系统级别更改的应用。This enables the user to have explicit control of apps that are making system level changes to their computer or device.

实际应用程序Practical applications

UAC 中的管理员批准模式有助于防止恶意软件在管理员不知情的情况下静默安装。Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. 它还有助于防止意外的系统范围的更改。It also helps protect from inadvertent system-wide changes. 最后,它可以用于强制执行更高级别的合规性,其中管理员必须主动同意或为每个管理进程提供凭据。Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.

本部分内容In this section

主题Topic 描述Description
用户帐户控制工作原理How User Account Control works 用户帐户控制 (UAC) 是 Microsoft 的总体安全构想的基本组件。User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC 有助于缓解恶意软件的影响。UAC helps mitigate the impact of malware.
用户帐户控制安全策略设置User Account Control security policy settings 你可以使用安全策略配置用户帐户控制在组织中的工作方式。You can use security policies to configure how User Account Control works in your organization. 可以使用本地安全策略管理单元 (Secpol.msc) 对它们进行本地配置,或通过组策略为域、OU 或特定组对它们进行配置。They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
用户帐户控制组策略和注册表项设置User Account Control Group Policy and registry key settings 下面是组织可用于管理 UAC 的 UAC 组策略和注册表项设置列表。Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.