Why complain about UAC prompts?
Jesper's article in TechNet Magazine on the purpose and future of UAC in Windows Vista and beyond reminded me that there's a whole slew of behaviours more annoying than UAC's prompting (which, as Jesper points out, is only the most visible portion of a system-wide and company-wide approach to the future of Windows development), and which users apparently don't hate enough for vendors and IT departments to cry for changes.
UAC elevation prompts from tools that shouldn't need elevation.
Seriously, this is just a sign that the developer was an administrator, and the tester was an administrator, and nobody bothered to make the program work for non-administrators by removing requests for privileges that aren't actually needed.
So, instead of fixing the product to remove the demands for administrative rights, the developers simply added a manifest to make the software insist on elevation.
If you've got non-administrative software that prompts for elevation as soon as it starts up, you should be asking your vendor whether this is their long-term fix, or whether this is just a temporary workaround while they engage in what can be a long process of removing elevation.
UAC elevation prompts for administrators running administrative tools
While performing their administration function, these users should be in an administrator session, and should have enabled silent elevation through Group Policy; while not performing their administration function, they should not be in an administrator session, and elevation should be disabled.
While that may have been awkward and cumbersome in Windows XP and before (although "runas" goes a long way towards providing this sort of separation), in Windows Vista, Fast User Switching is enabled for even domain-joined computers, allowing you to choose whether to be in a restricted user session or an administrative user session.
Spending most of your time as a non-admin means that when someone comes looking for the admin user who infected the company with an Outlook worm, you can point to the fact that your admin account isn't set up to run Outlook, so it couldn't possibly be you - phew!
Requests to re-identify myself
This is the big one for me, though - why aren't people complaining the same way about applications that ask the users to authenticate themselves again?
Why haven't these applications been fixed to use other methods of authentication?
When I fill in my time-sheet, I'm required to provide my user name and password. Again.
When I connect to the company training web page, I'm required to provide my user name and password. Again.
Every place I've worked, it's the same thing - there's a pile of applications that are necessary to, or related to your work - whether it's training, time-sheets, benefits checking, prescription filling under the company-provided insurance plan, or whatever - they've all required that I identify myself to them - again - even though I've already identified myself to the domain on this computer.
Maybe this is acceptable and appropriate for those operations where you want to make sure that somebody hasn't stepped in to the user's cube while the user was away - but those operations should generally be limited to unlocking the locked workstation, changing the user's password, starting up an elevated process - not routine operational work.
After all, if you start requiring the user to enter their password everywhere, you're teaching the user that he should be blasé about repeatedly entering his password several times during the work day - then when the phishing email comes along, with a request to log on to an external web site, that user will happily give up his user account and password (which will most likely be the same as his password on every other system he's used).
There are good alternatives.
A couple of obvious approaches for web-based applications are Windows Integrated Authentication (which, admittedly, does require IE and IIS), and SSL client certificates.
Thick-client applications are also usable, as long as they aren't against your company's religion.