Vista's User Account Controls prompts are something almost everybody loves to hate. Microsoft has steadfastly maintained that they're a feature that improves the product. But this week, "Microsoft has taken the very unusual step of endorsing another company's product that fixes a problem in its own operating system." The "Through the Looking Glass" saga of Vista continues.That sentence in quotes turned up in my e-mail from a PR guy touting BeyondTrust's BeyondTrust Privilege Manager 3.5. Privilege Manager enhances Microsoft policy management, and this new version is designed to let corporate IT managers run their users in a "least privilege" environment by eliminating most of the UAC prompts they might see when running Windows Vista.

Is BeyondTrust maybe stretching the truth a little when it uses that word "endorsing"? Not really. Here's the money quote in the announcement press release, from Austin Wilson, director, Windows Client Security Product Management at Microsoft:

Microsoft recognizes that to help create a secure, auditable and compliant enterprise environment all users should be Standard Users and ideally not have administrative privileges or access to administrator passwords. . . . I am pleased to see third-party security vendors such as BeyondTrust improve what is already our most secure business client OS, Windows Vista. The combination of elevating approved applications transparently with Privilege Manager and running UAC in no prompt mode with Internet Explorer in protected mode provides a best of breed solution to the least privilege problem.

Am I the only guy who translates that as, "Microsoft admits UAC is broken. Privilege Manager 3.5 fixes it"? Apparently not -- see, for example, Betanews.com's story, Microsoft Endorses Product That Turns Off Vista UAC Nags. Scott Fulton's thorough piece includes a similar quote from another Microsoft employee, Mark Russinovich, Technical Fellow and one of the most widely respected Windows experts in this quadrant of the galaxy. Russinovich isn't down on UAC per se, but he's concerned about the kind of on-the-fly escalation of privileges that UAC both requires and enables.

As for me, I'm not as far into the philosophy of Vista security as Rossinovich is, I'm just annoyed by the nagging (see Don't Shut Off Vista UAC, There's A Better Way). I'm glad there's a fix like BeyondTrust Privilege Manager that may help those of you who are corporate IT types, but I'm my own help desk, and for me a "least privilege" environment is not a solution, it's the problem Vista is forcing on me. Recently a commenter posted what looks like a good tip to one of previous blog entries, suggesting a free utility called TweakUAC that you can download from a Web site that includes an interesting take on what UAC does -- and doesn't do.