14 DAY TRIAL // See the top and the bottom images on the left? The first illustrates UAC dialog box behavior in Windows Vista Release Candidate 1, while the second comprises the changes introduced with the release of the release Candidate 2. Such user account control dialog boxes are specific of Windows Vista running on a domain-joined computer. The Windows Shell Team altered the behavior of an UAC dialog box credential request.
"In an OTS (over the shoulder) scenario, in RC2, only the empty Password Provider tile is enumerated by default. Some users thought this was a bug, and other users requested we revert to the previous behavior. During enumeration of local machine administrators, the system must contact a domain controller (DC). While this enumeration occurred, an indeterminate progress bar appeared within the user list region. We received a large amount of feedback regarding the long period of time this progress bar took to disappear," explained Daniel Oliver, a program manager on the Windows Shell Team.
The slow response time or the unavailability of the DC generated slow performance and the alteration of the default behavior proved necessary in order to speed up the accessing of the dialog box. The change is intentional. "By default, when UAC prompts users for credentials, it should display the empty Password Provider tile. If you are able to validate your identity with additional (installed) credential providers, such as the Smart Card Provider, you will probably see additional tiles in the user list," added Oliver.
But Microsoft is also delivering a way to revert to the anterior default behavior by changing the configuration of the Group Policy setting that controls the UAC dialog box's behavior through gpedit.msc. Here is the navigational path via the MMC snap-in:
Local Computer Policy - Computer Configuration - Administrative Templates - Windows Components - Credential User Interface - Enumerate administrator accounts on elevation - Enable this Group Policy setting.
Altering the Group Policy setting does not affect additional credential providers or the Microsoft Smart Card Provider. On workgroup machines, the Group Policy setting displays just the local administrators on the computer, when changed, either enabled or disabled, producing behavior similar to the domain-joined situation.
"By default, the Password Provider will pre-append the domain (or machine name in the workgroup case) to serialized credentials. The uneditable string below the password field indicates the domain (or machine name) that will be used. To specify a different domain, it must be entered in the user name field. The correct format is domainusername or username@domain. The domain field will update automatically. This is the same convention used during logon," also informed Oliver.
