Administrator accounts must not be enumerated?

win10freak · 17 Nov 2020

I still not able to understand this following Group Policy as to me it just makes no sense at all.
https://www.tenforums.com/tutorials/112434-hide-show-administrators-uac-standard-users-windows.html

Here is my current User setup on a STANDALONE PC.
Two LOCAL User accounts:
Admin account
and
Standard Account.

When I am logged in as the Standard account after setting the Group Policy to DISABLED and when I need to elevate to Admin by perfuming the Run As or when clicking on the "Shield Security" icons, the setting works and I do not see my Admin account username on the UAC. That is fine.

Part which I do not understand, is what would be the point of this setting when I can just look up the Admin account from the Users folder, the Switch User entries, Computer Management/Users and Groups?

Maybe this setting ONLY refers to users who need to remotely access a computer?

Do not know...

Hopefully someone can provide me an explaination.

Brink · 17 Nov 2020

Hello @win10freak,

The Enumerate administrator accounts on elevation policy is basically to allow you to force users to have to enter both an administrator's account name and password for UAC prompts instead of the default selecting an administrator account and entering its password.

This way users must know both for a bit of extra security. Yeah, it's still easy to lookup the name though.

The problem is, you can't hide an account without it getting disabled.

win10freak · 17 Nov 2020

I’m the only person using my laptop running as a Standard User for security best practice.

The only time I need to Run As or elevate to my Admin account, is when I need to perform maintenance work.

So what setting should I leave this Group Policy?

Should I just leave it as Disabled (without showing my Admin username)?

Thank you!

Brink · 17 Nov 2020

I'd just leave it set to the default "Not configured" (enabled/show).

No need to remove them since your the only one using the computer.

Bree · 17 Nov 2020

win10freak said:

I’m the only person using my laptop running as a Standard User for security best practice.
The only time I need to Run As or elevate to my Admin account, is when I need to perform maintenance work.
So what setting should I leave this Group Policy?

The default for this policy is 'Not Configured' in a normal clean install. The behaviour when not configured is that a Standard user is offered the name of one of the administrator accounts in the UAC prompt and just have to type its password. 'Not Configured' is probably the most convenient option if you are the only user of this PC.

When disabled, you'd have to type in an account name too, when enabled you'd have to pick from a list of names.

If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.

If you disable this policy setting, users will always be required to type a user name and password to elevate.

win10freak · 17 Nov 2020

The only part that would perhaps makes sense regarding to this policy, is that during the elevated UAC prompt window, the user may walk away from the computer due to being briefly distracted from something and another person would happen to just be next to the computer and having the Admin username exposed, especially in a work or office environment. That would probably make more sense.