File permissions "Administrators: Full Control". Why isn't it always sufficient?

administrator windows-10 permissions user-accounts
8,516

If I click "Continue", I'll be allowed to open folder Test

The following explains why Windows automatically adds an extra entry Admin: Full Control to the list.

Assume that User Account Control (UAC) is enabled, and you use Windows Explorer to access a folder for which you don’t have Read permissions.

Additionally, the folder is not marked by both the Hidden and System attributes. In this situation, Windows Explorer displays a dialog box that prompts you with the following:

"You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder"

Note:

  • In Windows Vista and Windows Server 2008, the second sentence does not include the word “permanently”; it just says “Click Continue to get access to this folder.”

You then have the option to click Continue or Cancel. (Continue is selected by default.)

  • If you click Continue, UAC tries to obtain administrative rights on your behalf.

  • Depending on the UAC security settings that control the behavior of the UAC elevation prompt, and on whether you are a member of the Administrators group, you may be prompted for consent or for credentials.

  • Or, you may not be prompted at all. If UAC can obtain administrative rights, a background process will change the permissions on the folder, and on all its subfolders and files, to grant your user account access to them.

  • In Windows Vista and Windows Server 2008, the background process grants your user account Read and Execute permissions. In later versions of Windows, this process grants your user account Full Control.

This behavior is by design. But because the typical pattern with UAC elevation is to run an instance of the elevated program with administrative rights, users may expect that by clicking Continue, this will generate an elevated instance of Windows Explorer and not make permanent changes to file system permissions.

However, this expectation is not possible, as Windows Explorer’s design does not support the running of multiple process instances in different security contexts in an interactive user session.

If UAC is disabled, UAC elevation is not possible.

  • All programs that are run by members of the Administrators group, including Windows Explorer, always have administrative rights.

  • Therefore, administrators do not need to use elevation to access resources that require administrative rights.

For example, if a folder grants access only to the Administrators group and the System account, an administrator can browse it directly without being prompted to alter the folder’s permissions.

  • If the user does not have Read permissions, Windows Explorer displays the dialog box that was described earlier.

  • However, if UAC is disabled, Windows cannot request administrative credentials on behalf of the user through a UAC elevation prompt.

  • Therefore, Windows will not start a background process with administrative permissions in order to change file system permissions.

However, if the user clicks Continue and the folder’s current security descriptor grants the user permission to both read and change the object’s permissions, Windows will start the background process in the user’s current security context and modify the folder’s permissions to grant the user greater access, as described earlier.

The user may have permission to read and change the object’s permissions from object ownership or from the object’s access control list (ACL).

Source When you click Continue for folder access in Windows Explorer, your user account is added to the ACL for the folder

I'm logged in as Admin - a member of Administrators group

and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?

The account called Admin is not the built-in Administrator account (which is named Administrator).

The built-in Administrator account doesn't require privilege elevation, while users you create and put in Administrators group do (assuming UAC hasn't been disabled).

If you want to do something that need Adminstrators privileges using an account created (for example Admin) and placed in Administrators group you will have to either:

  • Confirm the privilege elevation when requested, or

  • Run as Administrator by right clicking the application and selecting the option.

An Administrator is not THE Administrator

A user was trying to set the owner of a file to "Administrator." The user was unable to do this even though he was logged on as an administrator. Why won’t the system let an administrator change the owner of a file to Administrator? Don’t administrators have permission to take ownership of files?

...

So do you know the difference between Administrator and Administrators?

Administrator is an account.

  • If a permission or privilege is granted to Administrator, it can be done only by someone logged in with the Administrator account, that is, the account whose name defaults to Administrator (in English).

Administrators, on the other hand, is a group.

  • If you are a member of the Administrators group of a machine, you have been granted administrator privileges on that machine.

  • It is membership in the Administrators group that people refer to when they say things like "I’m an administrator on this machine."

  • The use of an indefinite article ("an") as opposed to a definite article ("the") highlights that the user is just one of many administrators.

Things are more ambiguous when people say something like "I’m running as administrator." This could mean either they are running as the Administrator account or that they are running with an account that is a member of the Administrators group.

Once you understand this difference, it becomes clear why the user I mentioned earlier was unable to reassign ownership of the file.

  • The user was logged on with an account that belongs to the Administrators group—but not with the Administrator account itself.

  • Let’s call the user’s account "Bob." The SeTakeOwnershipPrivilege privilege is assigned to members of the Administrators group, allowing members of this group to assign ownership to themselves. However, this privilege does not let members assign ownership to somebody else.

  • In this example, Bob could assign ownership of the file to Bob. But he is mistakenly trying to assign ownership to Administrator and since Bob is not the same as Administrator, the operation fails.

The user needs to log on with the Administrator account and take ownership of the files from there. In this case, the Administrator is assigning ownership to himself. (Alternatively, Bob could enable SeRestorePrivilege before setting the owner.

  • This method is somewhat unorthodox, however, since SeRestorePrivilege is intended to be used by backup restore programs.)

Source An Administrator Is Not the Administrator

Further reading

Share:
8,516

Related videos on Youtube

AnT
Author by

AnT

Updated on September 18, 2022

Comments

  • AnT
    AnT over 1 year

    Consider the following situation.

    Let's say I have two interactive local user accounts registered on my machine: Admin (member of Administrators group) and Alice (member of Users group). Let's say on my hard drive I have a folder Test with the following security settings: 

    Owner : Alice
Permissions:
  System : Full Control
  Administrators: Full Control
  Alice : Full Control

    Now, if I log in under Admin account and attempt to open the folder Test, Windows will initially refuse to do so. It will display a message box saying 

    "You don't currently have permissions to access this folder"

    My first question is: why? I'm logged in as Admin - a member of Administrators group - and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?

    Now, the aforementioned message box will also offer me the opportunity to "Click Continue to permanently get access to this folder". If I click "Continue", I'll be allowed to open folder Test. And, as a consequence of that, the security settings of Test will change to 

    Owner : Alice
Permissions:
  System : Full Control
  Administrators: Full Control
  Alice : Full Control
  Admin : Full Control

    As you can see, Windows automatically added an extra entry Admin: Full Control to the list. After that I will be able to access Test without any restrictions. However, the above set of security permissions seems to be redundant to me. It already included Administrators: Full Control entry from the very beginning. Why wasn't that sufficient?

    So, my second question is: why would Windows need an extra Admin: Full Control entry to finally give Admin that "full control".

    What is the formal logic behind this behavior?

    Some clarifications

    Note, this question is not about my Admin account not being "all-powerful Administrator that can do whatever he wants". I don't expect my Admin account to be all-powerful at all. In fact, at the most basic level I don't care about any special rights of my Admin account. It is just some account that belongs to some group.

    My question is about file system access rights granted through group membership.

    Consider another example. Let's say I created some random user group called Ugly Ducklings. And I added regular users Alice and Bob to the Ugly Ducklings group.

    Then I create folder DucklingTest with the following permissions

    Owner : Alice
Permissions:
  Ugly Ducklings : Full Control

    Now, if I log in as Bob I will indeed have full control over DucklingTest folder (!).

    Why?

    Is my Bob an all-powerful administrator? No. Is my Bob privileged in any way? No. Do I have to "elevate" Bob somehow, to perform access to DucklingTest? No.

    So, why does Bob have full control over DucklingTest folder?

    Easy. Bob has full control over DucklingTest folder because Bob is a member of Ugly Ducklings group and Ugly Ducklings group has been granted full control permissions over DucklingTest. End of story.

    How come the same logic does not apply to Admin and Administrators? Admin is a member of Administrators group and Administrators group has been granted full control permissions over Test folder. What's missing here? What kind of extra "control" Windows is trying to enforce in this case by imposing what looks like extra restrictions on members of Administrators group?

  • AnT
    AnT over 8 years
    Sorry, this does not look relevant at all. You apparently decided my question is about my Admin not being "admin enough". No, this is not what the question is about. Not even close. The question is about file system permissions and their operation with no relation to any "super-rights" supposedly assigned to administrators. I can create a folder owned by Alice and grant Users : Full Control rights on that folder. Under such rights user Bob (also a members of Users) will be able to freely enter that folder. And Bob is not even a member of Administrators group!
  • DavidPostill
    DavidPostill over 8 years
    @AnT Then please clarify your question. As it stands, your question does not mention Users : Full Control at all. What your question does say is that Admin doesn't initially have the correct permissions. That is what my answer explains. Admin : Full Control is not the same as Administrators: Full Control. Admin is a user. Administrators is a group.
  • DavidPostill
    DavidPostill over 8 years
    @AnT "If you want to do something that need Adminstrators privileges using an account created (for example Admin) and placed in Administrators group you will have to either: Confirm the privilege elevation when requested, or Run as Administrator by right clicking the application and selecting the option. "
  • DavidPostill
    DavidPostill over 8 years
    @AnT "Click Continue to permanently get access to this folder" is Confirming the privilege elevation when requested as I stated in my answer.
  • AnT
    AnT over 8 years
    If I grant Users : Full Control permission, Bob will be able to open the folder because Bob is a member of Users group. Then why Admin (who is a members of Administrators group) cannot open the same folder in the very same way through the same logic? Again, I don't care how "powerful" (or "powerless" my Admin is). All I care about is that my Admin is a member of Administrators. Why the logic that allowed Bob to enter does not apply to Admin? Why a "mere-mortal" group Users(and therefore Bob) seems to be less restricted (in group rights) than Administrators group?
  • AnT
    AnT over 8 years
    No, clicking "Continue to permanently..." does not perform privilege elevation in its normal sense. It simply performs automatic update of security permissions, as described above. Privilege elevation is always temporary. What happens in this case is permanent.
  • AnT
    AnT over 8 years
    I can create a group named, say, Ugly Ducklings. And I can give Ugly Ducklings full control over folder Test (and no one else). After than any member of Ugly Ducklings will be able to freely open that folder and do absolutely anything to it. Why does some random group Ugly Ducklings work "as expected", while Administrators group doesn't work that way?
  • DavidPostill
    DavidPostill over 8 years
    @AnT Answer updated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Administrator", "DefaultAccount", "Guest": Can I remove these accounts?
Win10: How can I delete driver files? (C:\Windows\System32\DriverStore\FileRepository)
Automate UAC to not prompt for admin user/pass when app needs "run as administrator"
How to create a very restricted user account into windows 10?
How can I disable network access for specific user?
How can you find out who the administrator of a SharePoint site is?
Account folder moved to "Administrator.000"?
Can't Access Windows 10 Update Orchestrator Service
Settings can't be opened using the Built-in Administrator account in Windows 10
How do I add Azure Active Directory User to Local Administrators Group