2

I have an example directory hosted on a data drive on a Windows Server 2008 installation ("MACHINE"). Only SYSTEM, Domain Admins, and Administrators (local) have full control permissions applied to this example directory. No other permissions are applied (I tend to be a bit uptight about permissions, and it is easier to start with a minimal set and expand).

When I attempt to open the directory in Explorer, I receive the message "You don't currently have permission to access this folder. Click Continue to get access to this folder." I am most definitely in Domain Admins. Yes, I checked. If I continue, permissions are applied specifically adding my account to that directory.

I removed the permissions specific to my account, then added my account to the local Administrators group. I receive the same error.

When I add permissions for the MACHINE\Users group, I may enter the directory.

When I disable UAC, this odd behavior goes away.

It's as if my membership in Domain Admins and the local Administrators group is ignored when UAC is enabled.

Can someone explain this perplexing behavior to me? I realize I can shut off UAC or add the MACHINE\Users group to my permissions, but I would like to understand the problem rather than just waving it away.

2 Answers2

3

You're seeing as-designed behaviour of User Account Control. Have a look at the articles below to learn about more about what's going on "under the hood" when you have UAC enabled.

Basically, your administrative privileges are being stripped from your security token when UAC is enabled (just as you're observing). In effect, UAC allows you to logon w/ an "Administrator"-level account but forces that account to "act" like a limited user. When you attempt to perform an action that requires administrator-level credentials UAC will prompt to elevate. After the elevation completes successfully the action you attempted to perform is done using the non-UAC-filtered security token (which still contains all your administrative group memberships).

As an aisde, typically you don't need to (and really shouldn't) name "DOMAIN\Domain Admins" in permissions. The local "Administrators" group will contain "DOMAIN\Domain Admins" if the machine is joined to "DOMAIN", so naming "DOMAIN\Domain Admins" is redundant.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • 2
    DOMAIN\Domain Admins + MACHINE\Administrators is S.O.P. around here. Having to say "Yeah, I want to look at that" in UAC is understandable, in light of the temporary disabling of the admin half of my security token. However, after I say, "Yes, I want to do that," I ought to be let into the directory, from what the article suggests. Instead, UAC goes ahead and changes file permissions. That's the part that I find a little galling. Perhaps it is a little different in Server 2008. Thank you. –  Feb 12 '10 at 20:42
  • 1
    That's what bugs me as well. Asking me for permission to access a folder even though I'm admin? weird but workable. But permanently adding me to the ACL? What are they thinking!? This is still an issue in 2008 R2. – Martijn Heemels Sep 03 '10 at 16:46
1

I ran into this as well and searched mightily for an answer. While the UAC and privilege elevation make sense, I still needed a logical explanation for why it should have to scribble on the security settings to effect access. My problem arose from trying to access a Macrium Reflect backup mounted image with all the security still intact just as if it was an external drive. Since the image is read-only, the permanent ACL change could not work.

I thought I should simply be elevated to Administrators and get access. Otherwise, what good is the Administrators group?

The issue is basically a combination of how UAC works and how Windows Explorer works. UAC makes your user token minus the Administrators group, and elevation is required to enable it and get the benefits of group membership. Elevation can only occur at the time a process is being created. An existing process token cannot be elevated. Windows Explorer is a system process that is started when you login. So it's not elevated, and it can't be elevated to access the folders. However, other methods do work. You run Command Prompt as Administrator and access it. You can run NotePad as Administrator and open files there. And you can remote access to the folders through an administrative share since the local Windows Explorer doesn't need to be elevated for that access.

The following are the links that educated me on this issue. Hope this helps.

http://www.networksteve.com/forum/topic.php/Windows_Server_2008_R2_and_UAC_and_%22you_don't_currently_have_per/?TopicId=14554&Posts=4

http://consumersupport.lenovo.com/ph/en/Guides/OS_guide_show_1261110914140580.html

cdburgerjr
  • 11
  • 1