13 februarie 2012 23:05
I'm a little confused on how permissions are applied in windows 7.
I noticed that like some folders in Program Files, an install directory from a program (in this case the Oracle client), have no options under their 'New' context menu other than to create a folder. In order to restore the context menu items I had to take ownership of the folder AND give my user account full control despite being a member of the local administrators group which also has full control. Why isn't access inherited from Administrators enough here?
At the same time, I've found that I can create a file with a command prompt with "run as administrator" using echo hello>test.txt without having direct permissions.
Other folders have only administrators on it and I can access the "new" menu just fine.
What mechanisms are at play here? What is the flow for checking permissions? I'd like to definitively understand this so I can effectively troubleshoot it. I'm guessing that user access control is the variable I'm missing but that's a guess.
15 februarie 2012 08:28Moderator
15 februarie 2012 20:36
One of those articles involves something along Opalis Integration Server Client and the other describes a fairly simplistic senario of where a child object has a different permission than the parent - not much mystery there. My question revolves around group vs user permissions.
Again, there are no permissions applied directly to the user, but instead the administrators group (which the user is a member of). Yet the 'New' context menu's only option is 'new folder'. As soon as I add the user directly to the folder, the other options appear under 'New.' is there some special permissions mechanism for the 'New' menu that doesn't look at group memebership?
20 februarie 2012 02:28Moderator
Please check the deny permission for this user or the groups this user belongs to.
Denied permissions are always checked before allowed, if System finds that the user matchs a denied rules when doing security checks, it will stop security check and deny the user's request despite this user in the other allowed rules.
TechNet Community Support
- Editat de Juke ChouMicrosoft Contingent Staff, Moderator 20 februarie 2012 02:29
20 februarie 2012 14:51There are no deny rules are assigned to any of the groups the user is a member of.