No comments on the merits of User Account Control, please - I need to test in an environment with it "all the way on" - which, on Windows Server 2008 R2 Enterprise, is the "Always Notify" option. Figured I'd mass-change the systems (because after the test, I'm turning the UAC back off).
The attached script (the contents of which I copy/pasted/updated from another - thank you!) can be either used to Enable or Disable UAC (based on the registry settings) for a list of systems in a text file, and then reboot those systems. To toggle between enabling/disabling, I simply remark out the appropriate section of code.
NOTE - the "Enable UAC" section of code is supposed to be commented out.
The problem is that, although the appropriate registry key is updated, the User Account Control Settings UI (in Control Panel) does not appear to get updated. Been searching for a long time - decided to ask the experts. Thank you in advance for any assistance.
Also, any comments on the structure/best practices of my code are appreciated - I'm a relative Powershell noob. Thank you.
########################################################################
# Disable-Enable User Account Control
# This script checks the registries of all systems in a text file and checks their UAC status. It can be set to Disable UAC (setting of 0) or Enable UAC (setting of 1). The user will need to manually alter the script and choose the desired setting. Afterwards, the systems will be rebooted.
#########################################################################
# Initialize variables and set paths
clear-host
$systems = Get-Content "c:\temp\Env1.txt"
$WriteUAC = $true
$UACValue = "EnableLUA"
$UACoff = 0
$UACon = 1
$UACpath = "Software\Microsoft\Windows\CurrentVersion\policies\system"
# Loop through the input file for all computers, open the remote
# HKLM hive using .NET, open the subkey to the UAC setting, and
# get the Enable UAC value.
foreach($system in $systems)
{
$OpenRegistry =[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$system)
$UACsubkey = $OpenRegistry.OpenSubKey($UACpath,$WriteUAC)
$UACsubkey.ToString()
$UACstate = $UACsubkey.GetValue($UACvalue)
Write-Host "The UAC on $system is currently set to $UACstate."
# Disable UAC (EnableLUA setting of 0)
If($UACstate -eq 1)
Write-Host "Turning the UAC off..."
$UACsubkey.SetValue($UACvalue, $UACoff)
Write-Host "The UAC on $system is now set to $UACstate. The system will now be restarted."
(Get-WmiObject -Class Win32_OperatingSystem -ComputerName $system).Win32Shutdown(6)
}
Else
Write-Host "The UAC State of $system is already off."
# Enable UAC (EnableLUA setting of 1)
# If($UACstate -eq 0)
# {
# Write-Host "Turning the UAC on..."
# $UACsubkey.SetValue($UACvalue, $UACon)
# $UACstate = $UACsubkey.GetValue($UACvalue)
# Write-Host "The UAC on $system is now set to $UACstate. The system will now be restarted."
# (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $system).Win32Shutdown(6)
# }
# Else
# Write-Host "The UAC State of $system is already on."
I think there may be something buggy going on under the covers here. Normally, when you change the slider from "Never Notify" to "Always Notify", you are prompted to restart the system.
After running this script to change a "UAC Off" system to a "UAC On" system, and rebooting the system - when I login and navigate to UAC (and see that the slider is incorrectly in the "Never Notify" position), and change the slider to "Always Notify", I am NOT prompted to restart the system.
If I were truly changing the UAC state, I should be prompted to restart, no?