Admin Approval Mode

With Windows XP and earlier versions of Windows, any process started by a user logged on as an administrator would be run with administrative privileges. This situation was troublesome because malware could make system-wide changes, such as installing software, without confirmation from the user. In Windows Vista and Windows 7, members of the Administrators group run in Admin Approval Mode, which (by default) prompts administrators to confirm actions that require more than Standard privileges. For example, even though a user might log on as an administrator, Windows Messenger and Windows Mail will run only with standard user privileges.

To do this, Admin Approval Mode creates two access tokens when a member of the Administrators local group logs on: one token with full permissions and a second, restricted token that mimics the token of a standard user. The lower-privilege token is used for nonadministrative tasks, and the privileged token is used only after the user’s explicit consent. Windows Vista prompts the user for consent before allowing an application to complete an action that requires administrative privileges.

Many organizations use the benefits of UAC to create Standard, rather than Administrator, user accounts. Admin Approval Mode offers some protection for those users who need administrator privileges—such as developers—by requiring confirmation before an application makes any potentially malicious changes. Like most Windows 7 security improvements, the consent prompt is enabled by default but can be disabled using Group Policy settings. Additionally, the consent prompt can require users to type an administrative password or, for standard users, simply inform them that access is not permitted.

Source of Information : Windows 7 Resource Kit 2009 Microsoft Press