|
|
|
|
|
|
by WorldMaker
494 days ago
|
|
|
The way I read it, the difference between existing UAC and "Adminless" is that the user is always in the Administrators group and UAC just unlocks an Administrator token/ACL temporarily to bestow the actual powers of the Administrators group. In "Adminless" the user is only a less privileged/low privilege user, a new system-managed Admin User is created, and the new security boundary prompts instead of unlocking a temporary token/ACL are more "runas" the system-managed Admin User. It's similar to Linux sudo sending commands to the root account, where Linux doesn't have a token/ACL model that allows temporarily upgrading the existing user "in place". It's also similar to how Windows Admin security was managed pre-UAC in places that separated standard accounts and Admin accounts, and similar to how many corporations still manage security, with the difference being that the new "Adminless" admin account is system owned (like the various internal service accounts), supposedly does not allow interactive login, has no password only a hardware security key (hence why the new security boundary requires Windows Hello unlocks every time, versus UAC can be as subtle as Yes/No, depending on configuration/group policy). "Adminless" is a funny name given that there's still an admin account involved, it's just an admin account that is much more than before not a user account but more like a service account. |
|
|