Friday, January 28, 2011

Administrator File Modification Privilege

Windows Server 2008 apparently allows an application to somehow configure the folder so that any changes made within the folder require administrator level access. I login with an account that has administrator privileges, but is not the local administrator account. When I do so I find that I can't save changes to files opened within this folder. I know I can open the application as administrator or move the file out of the folder, make the change, then move it back in, but I'm hoping there is a better way short of disabling the protection entirely. Is there a way perhaps to remove it for the files I frequently edit?

From serverfault Leigh Riffel

  • There is something not clear for me. If the account has administrative privileges (part of the administrators group), there should be nothing stopping you. Can you elaborate more on the application you refer to (name, use, etc)?

    Would setting explicit permissions to such directory fix the problem? Add yourself with the appropriate access to that directory ACL, that should work.

    Leigh Riffel : Yes, the account is part of the administrators group. Looking at the Effective Permissions this user has Full Control on the files in question. The files are just text files that I am trying to edit with notepad. The application is Oracle 11g 64-Bit.
    From David Collantes

  • I believe this behavior is a feature of UAC. As I understand it, when UAC is enabled basically windows doesn't allow your Administrator privileges to actually be used without a prompt. In some cases related to accessing shares or the filesystem it doesn't seem to display the prompt when it seems like it should. Unfortunately I haven't found a way to get around the issue, and had to diable the UAC.

    Anyway, I suggest you try disabling UAC. If it fixes your issue, you can decide if you want to leave it disabled or futz with the settings to see if you can actually get it to work right.

    To turn off UAC (from here)

    1. Click Start, and then click Control Panel.
    2. In Control Panel, click User Accounts.
    3. In the User Accounts window, click User Accounts.
    4. In the User Accounts tasks window, click Turn User Account Control on or off.
    5. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
    6. Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK.
    7. Click Restart Now to apply the change right away, or click Restart Later and close the User Accounts tasks window.
    Leigh Riffel : I turned it off to verify that this was the problem, but I'm not sure I want to leave it that way.
    From Zoredache

  • Like Zoredache mentioned, this the same UAC feature in Vista. Your account that is in the Administrators group doesn't actually have elevated permissions until you ask for it on a per-application basis. When you open Explorer, it's just as if you're Administrators membership was gone. Subsequently, when you double click a file from that un-elevated Explorer window, the app that runs (like Notepad) is also un-elevated. Your options are basically the following:

    • Turning off UAC is one way to work around this, however it's not very smart if this really is a production server. UAC is there for a reason and now that you know what the issue is, you should at least try to work with it before you disable it outright.

    • Another solution is to grant write access to the Users group (or any other group your account is a member of) for the subset of files/folders you'll be accessing often.

    • If you don't have a regular set of files/folders you would know to grant access to in advance, you can also manually run an elevated instance of Windows Explorer. You would think this was possible by searching for it in the Start Menu and right-click to "Run as administrator". But for some odd reason, that doesn't work. Instead, the way I usually do it is run an elevated instance of cmd.exe and then use the following command to open an explorer window at the root of C.

      explorer /e,c:\

    There may actually be easier ways to do this with the help of 3rd party tools or shell extensions, but this is the only way I know how to get an elevated Explorer instance out of the box.

    Leigh Riffel : Could you please elaborate on your second option? My understanding is that I already have write access. Is this different than file permissions and if so where do I add it?
    Leigh Riffel : Even when I run an elevated instance of explorer I still cannot open the file and save changes to it. I have to open notepad with elevated privileges then open the file from within notepad. Either that or copy the file to an uprotected location (like the desktop), make the changes and move it back.
    Ryan Bolger : It's hard to answer the first question without seeing the security ACLs on the files/folders in question. But most likely, the people with write access are the Administrators group and the SYSTEM account. The Users group likely only has Read/Execute access. Even though your account is in the Administrators group, that fact is ignored unless the process you're running is elevated.
    Ryan Bolger : Your second comment doesn't match my experience. I have an elevated explorer window open and create a new folder in the root of C: called Test. Inspecting the Security tab of the folder properties, I see Administrators and SYSTEM with full control, Users with Read/Execute, and CREATOR OWNER with special permissions. If I right-click and create a new empty text file in that folder, it inherits the permissions of the parent folder. Double clicking on that empty file opens an elevated Notepad allowing me to add text and save.
    Ryan Bolger : Doh, I just realized the default way I said you could run elevated Explorer from the start menu was wrong. It doesn't actually end up elevated (which I personally think is a bug). You have to do it from the pre-elevated command prompt.
    Ryan Bolger : Fixed my answer
    Ryan Bolger : Bleh, I don't mean to comment spam. I also meant to add that the easiest way to see what's actually going on with this is using the Process Explorer tool from sysinternals.com. If you double click the explorer.exe instance at the root of your login session and go to the Security tab, you'll see in the top section something like BUILTIN\Administrators set to Deny. If you check the same section on a process you've elevated, BUILTIN\Administrtors should be set to Owner.
    Leigh Riffel : I understand your third point now that you corrected it. I created a batch file to run explorer and then a shortcut to the batch file on the desktop so I can change the icon. By opening the shortcut with Run as Administrator I can get the elevated Explorer that can open documents with elevated privileges. Thanks.
    Leigh Riffel : Interesting. I added explicit write permissions on the file and was able to modify it even though my effective permissions already showed that I could. I removed that and then tried to apply write permissions from the root level and have that cascade. That looked like it would work but didn't, so I took ownership of the folder and cascaded that. For some reason the third folder in is only how far the permissions cascade, so I modified that folders permissions and let them cascade and that did the trick.
    From Ryan Bolger

  • Disable "Admin Approval Mode" in UAC for the administrators group. For the Built-in Administrator account it is disabled by default, but enabled for the administrators group.

    • Start > Administrative Tools > Local Security Policy > Local Policies > Security Options.
    • Then find (third from the bottom) "User Account Control: Run all administrators in Admin Approval Mode", right-click, properties, Disable.

    You can see it disabled for the Built-in Admin account a few above (10 from bottom).

    From Seba Illingworth
Posted by Mu Cat at 5:12 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)