Hi, everyone. I'm Daniel Oliver, a program manager on the Windows Shell Team.

If you're running Windows Vista on a domain-joined machine, you may have noticed a small change between Windows Vista RC1 and RC2 when the UAC dialog box prompts for credentials in an OTS (over the shoulder) scenario. In RC2, only the empty Password Provider tile is enumerated by default. Some users thought this was a bug, and other users requested we revert to the previous behavior. In addition, many users wanted to know why we made this change. Please allow me to address these questions individually.

RC1 behavior

RC2 behavior

Is this a bug?

No, this is intentional. By default, when UAC prompts users for credentials, it should display the empty Password Provider tile. If you are able to validate your identity with additional (installed) credential providers, such as the Smart Card Provider, you will probably see additional tiles in the user list.

Is it possible to get the old default behavior back?

Yes, it is. The behavior is controlled by a Group Policy setting and can be configured using gpedit.msc. Once in the MMC snap-in, use the tree control to navigate to...

Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> Enumerate administrator accounts on elevation

Enable this Group Policy setting.

Why did the UAC team make this change?

During enumeration of local machine administrators, the system must contact a domain controller (DC). While this enumeration occurred, an indeterminate progress bar appeared within the user list region. We received a large amount of feedback regarding the long period of time this progress bar took to disappear. We analyzed the problem in detail and found users experiencing unusually slow performance when the DC was unavailable or slow to respond. In order to place the dialog box in front of users as fast as possible, we changed the default behavior. Speed.

How do I change the domain field?

By default, the Password Provider will pre-append the domain (or machine name in the workgroup case) to serialized credentials. The uneditable string below the password field indicates the domain (or machine name) that will be used. To specify a different domain, it must be entered in the user name field. The correct format is domain\username or username@domain. The domain field will update automatically. This is the same convention used during logon.

How does this Group Policy setting function on workgroup machines?

Enumerate administrator accounts on elevation has a slightly different meaning on workgroup machines. By default (that is, the setting has been neither enabled nor disabled), the Password Provider will list all local administrators on the machine. When enabled or disabled, this policy behaves exactly the same as in the domain-joined scenario.

How does this Group Policy setting affect other credential providers?

The Microsoft Smart Card Provider is not affected at all by this change. We recommended credential providers written by ISVs respect the settings in Group Policy.

-- Daniel Oliver

Windows Shell Team