File permissions "Administrators: Full Control". Why isn't it always sufficient?
If I click "Continue", I'll be allowed to open folder Test
The following explains why Windows automatically adds an extra entry Admin: Full Control to the list
.
Assume that User Account Control (UAC) is enabled, and you use Windows Explorer to access a folder for which you don’t have Read permissions.
Additionally, the folder is not marked by both the Hidden and System attributes. In this situation, Windows Explorer displays a dialog box that prompts you with the following:
"You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder"
Note:
- In Windows Vista and Windows Server 2008, the second sentence does not include the word “permanently”; it just says “Click Continue to get access to this folder.”
You then have the option to click Continue or Cancel. (Continue is selected by default.)
If you click Continue, UAC tries to obtain administrative rights on your behalf.
Depending on the UAC security settings that control the behavior of the UAC elevation prompt, and on whether you are a member of the Administrators group, you may be prompted for consent or for credentials.
Or, you may not be prompted at all. If UAC can obtain administrative rights, a background process will change the permissions on the folder, and on all its subfolders and files, to grant your user account access to them.
In Windows Vista and Windows Server 2008, the background process grants your user account Read and Execute permissions. In later versions of Windows, this process grants your user account Full Control.
This behavior is by design. But because the typical pattern with UAC elevation is to run an instance of the elevated program with administrative rights, users may expect that by clicking Continue, this will generate an elevated instance of Windows Explorer and not make permanent changes to file system permissions.
However, this expectation is not possible, as Windows Explorer’s design does not support the running of multiple process instances in different security contexts in an interactive user session.
If UAC is disabled, UAC elevation is not possible.
All programs that are run by members of the Administrators group, including Windows Explorer, always have administrative rights.
Therefore, administrators do not need to use elevation to access resources that require administrative rights.
For example, if a folder grants access only to the Administrators group and the System account, an administrator can browse it directly without being prompted to alter the folder’s permissions.
If the user does not have Read permissions, Windows Explorer displays the dialog box that was described earlier.
However, if UAC is disabled, Windows cannot request administrative credentials on behalf of the user through a UAC elevation prompt.
Therefore, Windows will not start a background process with administrative permissions in order to change file system permissions.
However, if the user clicks Continue and the folder’s current security descriptor grants the user permission to both read and change the object’s permissions, Windows will start the background process in the user’s current security context and modify the folder’s permissions to grant the user greater access, as described earlier.
The user may have permission to read and change the object’s permissions from object ownership or from the object’s access control list (ACL).
I'm logged in as Admin - a member of Administrators group
and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?
The account called Admin
is not the built-in Administrator
account (which is named Administrator
).
The built-in Administrator account doesn't require privilege elevation, while users you create and put in Administrators group do (assuming UAC hasn't been disabled).
If you want to do something that need Adminstrators privileges using an account created (for example Admin
) and placed in Administrators group you will have to either:
Confirm the privilege elevation when requested, or
Run as Administrator by right clicking the application and selecting the option.
An Administrator is not THE Administrator
A user was trying to set the owner of a file to "Administrator." The user was unable to do this even though he was logged on as an administrator. Why won’t the system let an administrator change the owner of a file to Administrator? Don’t administrators have permission to take ownership of files?
...
So do you know the difference between Administrator and Administrators?
Administrator is an account.
- If a permission or privilege is granted to Administrator, it can be done only by someone logged in with the Administrator account, that is, the account whose name defaults to Administrator (in English).
Administrators, on the other hand, is a group.
If you are a member of the Administrators group of a machine, you have been granted administrator privileges on that machine.
It is membership in the Administrators group that people refer to when they say things like "I’m an administrator on this machine."
The use of an indefinite article ("an") as opposed to a definite article ("the") highlights that the user is just one of many administrators.
Things are more ambiguous when people say something like "I’m running as administrator." This could mean either they are running as the Administrator account or that they are running with an account that is a member of the Administrators group.
Once you understand this difference, it becomes clear why the user I mentioned earlier was unable to reassign ownership of the file.
The user was logged on with an account that belongs to the Administrators group—but not with the Administrator account itself.
Let’s call the user’s account "Bob." The SeTakeOwnershipPrivilege privilege is assigned to members of the Administrators group, allowing members of this group to assign ownership to themselves. However, this privilege does not let members assign ownership to somebody else.
In this example, Bob could assign ownership of the file to Bob. But he is mistakenly trying to assign ownership to Administrator and since Bob is not the same as Administrator, the operation fails.
The user needs to log on with the Administrator account and take ownership of the files from there. In this case, the Administrator is assigning ownership to himself. (Alternatively, Bob could enable
SeRestorePrivilege
before setting the owner.
- This method is somewhat unorthodox, however, since
SeRestorePrivilege
is intended to be used by backup restore programs.)
Source An Administrator Is Not the Administrator
Further reading
Related videos on Youtube
AnT
Updated on September 18, 2022Comments
-
AnT over 1 year
Consider the following situation.
Let's say I have two interactive local user accounts registered on my machine:
Admin
(member ofAdministrators
group) andAlice
(member ofUsers
group). Let's say on my hard drive I have a folderTest
with the following security settings:Owner : Alice Permissions: System : Full Control Administrators: Full Control Alice : Full Control
Now, if I log in under
Admin
account and attempt to open the folderTest
, Windows will initially refuse to do so. It will display a message box saying"You don't currently have permissions to access this folder"
My first question is: why? I'm logged in as
Admin
- a member ofAdministrators
group - and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?Now, the aforementioned message box will also offer me the opportunity to "Click Continue to permanently get access to this folder". If I click "Continue", I'll be allowed to open folder
Test
. And, as a consequence of that, the security settings ofTest
will change toOwner : Alice Permissions: System : Full Control Administrators: Full Control Alice : Full Control Admin : Full Control
As you can see, Windows automatically added an extra entry
Admin: Full Control
to the list. After that I will be able to accessTest
without any restrictions. However, the above set of security permissions seems to be redundant to me. It already includedAdministrators: Full Control
entry from the very beginning. Why wasn't that sufficient?So, my second question is: why would Windows need an extra
Admin: Full Control
entry to finally giveAdmin
that "full control".What is the formal logic behind this behavior?
Some clarifications
Note, this question is not about my
Admin
account not being "all-powerful Administrator that can do whatever he wants". I don't expect myAdmin
account to be all-powerful at all. In fact, at the most basic level I don't care about any special rights of myAdmin
account. It is just some account that belongs to some group.My question is about file system access rights granted through group membership.
Consider another example. Let's say I created some random user group called
Ugly Ducklings
. And I added regular usersAlice
andBob
to theUgly Ducklings
group.Then I create folder
DucklingTest
with the following permissionsOwner : Alice Permissions: Ugly Ducklings : Full Control
Now, if I log in as
Bob
I will indeed have full control overDucklingTest
folder (!).Why?
Is my
Bob
an all-powerful administrator? No. Is myBob
privileged in any way? No. Do I have to "elevate"Bob
somehow, to perform access toDucklingTest
? No.So, why does
Bob
have full control overDucklingTest
folder?Easy.
Bob
has full control overDucklingTest
folder becauseBob
is a member ofUgly Ducklings
group andUgly Ducklings
group has been granted full control permissions overDucklingTest
. End of story.How come the same logic does not apply to
Admin
andAdministrators
?Admin
is a member ofAdministrators
group andAdministrators
group has been granted full control permissions overTest
folder. What's missing here? What kind of extra "control" Windows is trying to enforce in this case by imposing what looks like extra restrictions on members ofAdministrators
group? -
AnT over 8 yearsSorry, this does not look relevant at all. You apparently decided my question is about my
Admin
not being "admin enough". No, this is not what the question is about. Not even close. The question is about file system permissions and their operation with no relation to any "super-rights" supposedly assigned to administrators. I can create a folder owned byAlice
and grantUsers : Full Control
rights on that folder. Under such rights userBob
(also a members ofUsers
) will be able to freely enter that folder. AndBob
is not even a member ofAdministrators
group! -
DavidPostill over 8 years@AnT Then please clarify your question. As it stands, your question does not mention
Users : Full Control
at all. What your question does say is thatAdmin
doesn't initially have the correct permissions. That is what my answer explains.Admin : Full Control
is not the same asAdministrators: Full Control
.Admin
is a user.Administrators
is a group. -
DavidPostill over 8 years@AnT "If you want to do something that need Adminstrators privileges using an account created (for example Admin) and placed in Administrators group you will have to either: Confirm the privilege elevation when requested, or Run as Administrator by right clicking the application and selecting the option. "
-
DavidPostill over 8 years@AnT "Click Continue to permanently get access to this folder" is Confirming the privilege elevation when requested as I stated in my answer.
-
AnT over 8 yearsIf I grant
Users : Full Control
permission,Bob
will be able to open the folder becauseBob
is a member ofUsers
group. Then whyAdmin
(who is a members ofAdministrators
group) cannot open the same folder in the very same way through the same logic? Again, I don't care how "powerful" (or "powerless" myAdmin
is). All I care about is that myAdmin
is a member ofAdministrators
. Why the logic that allowedBob
to enter does not apply toAdmin
? Why a "mere-mortal" groupUsers
(and thereforeBob
) seems to be less restricted (in group rights) thanAdministrators
group? -
AnT over 8 yearsNo, clicking "Continue to permanently..." does not perform privilege elevation in its normal sense. It simply performs automatic update of security permissions, as described above. Privilege elevation is always temporary. What happens in this case is permanent.
-
AnT over 8 yearsI can create a group named, say,
Ugly Ducklings
. And I can giveUgly Ducklings
full control over folderTest
(and no one else). After than any member ofUgly Ducklings
will be able to freely open that folder and do absolutely anything to it. Why does some random groupUgly Ducklings
work "as expected", whileAdministrators
group doesn't work that way? -
DavidPostill over 8 years@AnT Answer updated.