Windows folder permissions, Administrators and UAC, what's the "right" way to deal with this?
Solution 1
The solution is to simply manage the server remotely. The UAC filtering of the administrator privileges only applies when you are accessing the local system.
With the release of Server Core, Microsoft has been strongly encouraging people to remotely administer servers instead of connecting to them directly to manage them.
Of course if you have a really small network this may not be feasible, so disabling the UAC is fine, or adjusting the filesystem permissions so that another group is used instead of administrators to grant permissions.
Solution 2
The best way is to define a new group containing members that you consider to be administrators of that folder. If you have an AD domain, you can create this group in AD and then add that group to the Administrators group (of the local machine) and avoid having to administer two groups.
Note: If you're trying this locally, remember you have to log off and back in again for the new permissions to take effect.
Solution 3
There are two options to work around this limitation easily:
- Use a file manager of your choice (total commander, eg) and run it as administrator (preferred)
- Disable the explorer UAC restriction: http://www.msfn.org/board/topic/144776-unable-to-open-an-elevated-windows-explorer-window/
Solution 4
Grant Read/Execute permission at the drive root the built-in principal called "Interactive". Then no change to UAC is required.
This way people logged into the desktop remotely or "locally" (VM console or physical screen and keyboard) can still browse files and run programs even with UAC enabled.
For example, you could remove the default "Users can read and create everything from the root" permission to lock down the server sensibly, but avoid the inability to effectively logon, browse files and navigate to where you want to change settings as administrator.
As soon as you open the security dialog and want to change permissions, a button appears to change the settings as administrator. So you get the best of both worlds:
- No restriction to "local" admin/operator browsing of the structure and content of the disks.
- Protection against changes by non-administrators.
The only difference to the standard permissions, is we are not saying that only local "Users" accounts can read everything, but only people granted access to the Windows console, i.e. that logically means "physical" (or virtual) "interactive" server access, which is not just granted to anybody. This may not work for terminal servers unless there is a better way to distinguish between those types of sessions (suggest edit if you know that).
Of course the first advice is use server core/remote admin whenever possible. But when not, this helps avoid the common end-effect that a server were the default users permissions are removed end-up with dozens of personal user account permissions applied all over the place. And it's not really the fault of the administrator, they are just trying to do their job with standard tools without any special complexity (just use File Explorer normally).
Another positive effect of this solution, is by being able to lock-down the root drive permissions and still have the server "usable" for the administrator logged onto the desktop, the need to disable inheritance to remove unwanted permissions from above often disappears. The fact that all users can read and create whatever they want below your shared path by default is a common reason to disable inheritance when nobody wants to deal with the "root" cause ;-)
Related videos on Youtube
02 : 01
02 : 18
01 : 53
02 : 14
01 : 54
TessellatingHeckler
Updated on September 18, 2022Comments
-
TessellatingHeckler almost 2 years
I have a folder with permissions:
- Administrators (group): Full.
- J. Bloggs: Full.
I'm logged in as a member of the Administrators group.
I can't open the folder in Explorer because "you do not have permission".
I suspect this is because normal processes do not have the administrator permission token because of UAC, unless you also 'run as administrator'. But I can't do that for Windows Explorer, can I?
So my options seem to be: - Click the button to take ownership (ruins ownership, takes ages on large folders, doesn't solve for other administrators) - Add each individual administrator account with full permissions so it works without the admin token (administrative mess, what's the point in groups)
This is a really annoying design, I must be missing something. How is it supposed to work? What's the 'right' way for an administrator to get into a folder that administrators have access to?
-
john almost 11 yearsI think Explorer only runs elevated when you are logged in as the local administrator of that machine.
-
tony roth almost 11 yearsThis is one of the reasons why ms updated their security recommendations about using uac on servers. support.microsoft.com/kb/2526083
-
TessellatingHeckler almost 11 yearsTony, that's a complete surprise to me, after so long putting up with UAC prompts "for the greater good", to hear Microsoft say there is not, and can never be, any greater good on the server side. Quote: """When all the administrative userβs tasks require administrative rights, and each task could trigger an elevation prompt, the prompts are only a hindrance to productivity. In this context, such prompts do not and cannot promote the goal of encouraging development of applications that require standard user rights""". Brilliant. MS approval to turn UAC off! (in certain, limited situations).
-
tony roth almost 11 yearsthis statement "UAC should also remain enabled if administrators run risky applications on the server such as web browsers, email clients, or instant messaging clients, or administrators perform other operations that should be performed from a client operating system such as Windows 7." is the key to all of this.
-
Ben Personick over 4 yearsYou CAN run Explorer with Elevated privileges, First:
open Task Manager, go to details, kill the existing explorer running as your user.(Note: your start menu and folders etc. will disappear), then, still in task manager:Click File, Start New Process, Type Explorer, and select the "Run task with administrative privileges" checkbox, and hit OKYour Start menu will re-appear, you are now able to continue on without needing to elevate each time you access a folder or file that you have permissions to only through the Administrative users' group.
-
TessellatingHeckler almost 11 yearsThe first is a pragmatic suggestion from you for how to work around this, but it cannot be Microsoft's intention for how to deal with this, that would be ridiculous. The second is clever and interesting, but I'm not doing that kind of registry bodging on live servers.
-
john almost 11 yearsSo would eg. \\localhost\c$ allow administrators to view as administrator? Think I've seen this done before.
-
TessellatingHeckler almost 11 yearsBut that isn't a solution at all, because I'm not logged in as an administrator on my desktop. (I'm not even logged in on the same domain, and there's no trust relationship between them)).
-
Zoredache almost 11 yearsYou don't have to access the remote system using the credentials you used to login. Connect to the remote system as administrator.
net use \\server\share /user:adminuser. -
Dan over 9 yearsThis is how we solved the problem. We have groups like "Billing-Dept", "IT-Dept", etc. Makes much more sense in the context of a single folder than "Domain Admins".
-
FooBee over 6 yearsT.his needs a better explanation.
-
Tony Wall almost 6 yearsThis is the correct general answer but there are still too many Microsoft and OEM server products which require desktop interaction to manage or reconfigure them effectively. The original question is valid and a solution for the "Windows" server desktop is required. It's strange that the defaults of Microsoft do not support this without granting all local users access to read and create everything from the root. I added a lot of detail in a suggested edit to the answer from @PaGeY so I hope he accepts that because currently I believe that's the best alternative when core admin is not possible.
-
Tony Wall almost 6 yearsI suggested an edit with full details because this answer is quite good when a desktop is necessary. I hope @PaGeY accepts it.
-
Zoredache almost 6 years@TonyWall you should probably consider adding your own answer.
