locked
Strange ACL behavior

    Question

  • Hello,

    I have just upgraded from Windows 2008 to Windows 2008 R2 and I happen to have a strange behavior with the files on my data disk (so, not in a system folder).

     

    My user is member of the administrators group.

    The administrators group is granted full control on the root of my D: drive.

    The owner of the files also is set to the administrators group.

     

    I can't do anything with my files (I can't even rename then) without being prompted by UAC for administator authorisation!

    Now even stranger... If I add the full control right for my user (and not group) I can now rename or move my files without being annoyed by UAC...

    Why don't I inherit from the rights granted to administators group?

     

    Thanks in advance !

    Cédric

    Monday, May 10, 2010 10:38 PM

Answers

  • Hi,

    Above all, it is a design that all accounts in Administrators group are working as standard users (except Administrator account).

    Here is my understanding: account in administrators group means it can "run as administrator" to do some jobs such as run programs, change file permission etc. But when accessing a root drive, it will not enable UAC to check if the account can "run as admin", so an "Access Denied" error occurs. We can find that this issue will not occurs on a folder --- UAC will occur when trying to access a folder with only "Administrators full control", if click Yes, the user will be joined to Security tab with full control permission.

    When we add the user or another group which contain the user to Security tab, it means the folder also can be accessed by the users in the group as standard user permission.

    Monday, May 17, 2010 8:58 AM
  • Hi Cedric,

    You can create a new group, give it full control on the drive. Every time a new member join, add it to the new group.

    Or you can just add Users group and give it full control. New members should be joined to Users group automatically.

    Monday, May 17, 2010 2:35 AM

All replies

  • Hi Cédric,

    I cannot reproduce the issue on my system.

    Please let me know the current permission settings on the Drive D. You can choose Properties on Drive D, go to Security tab, click Advanced. Let me know the entries listed in the Perimission tab, and the Owner listed Owner tab.

    Also please choose a folder or a file in Drive D, check their permission settings and let me know the result.

    Tuesday, May 11, 2010 9:21 AM
  • Hi,

    First of all, thanks for replying.

    Here are the settings that you requested.

    D drive settings :

    "Any file" settings :

    Here is the message that I get when I try to rename the file :

    And here is the configuration of my user (as you can see, I am in the administrators group) :

    Tuesday, May 11, 2010 10:29 AM
  • Hi,

    I noticed that there are some permission settings applied to "subfolders" and "subfolders and files" on Drive D. Thus i suspect if they are the cause of the issue. If available you can write down those settings as a backup and delete them for a test.

    In my test, I only apply "Administrators" with full control on Drive D, and folder under Drive D are also full control to Administrators group. This works fine.

    Thursday, May 13, 2010 2:27 AM
  • Hi,

    I tried what you said but that made things worse.

    I removed every ACE on d: drive, then added full control for administrators group :

    The result is... that I can't even access my d: drive now :

    I also tried to change the scope of the ACE (replacing "This folder, subfolders and files" by "This folder only" but the error is the same).

    I spent hours trying to solve this issue and I tried so many things that I don't know what else I could do...
    The only thing that seems to work is to allow full control to my user directly.

    Thursday, May 13, 2010 4:04 PM
  • After test more I think I made mistakes. Sorry for the incorrect information.

    This time I format a partition (to get default security permission) and tried to delete each setting to check the result. After delete the permission set for Users group, we will get the error "access is denied".

    As we know, user accounts in Administrators group are not really work as administrator (except the default Administrator account). They request UAC to perform step which need admin permission. So the fact is "access partition permission" is supported by the permission set for Users group although the account is in Administrators group.

    Thus give the user account full control permission should be the correct solution on this.

    Sorry again for the wrong test result which give me to a wrong thought. I should test more times.

    Friday, May 14, 2010 6:05 AM
  • Hi Shaon,

    I'm a bit disappointed because I am in charge to configure our servers to give access to our development team... and this means that I must reconfigure all folders everytime we have a new member instead of just adding that member to the administrators group...

    Or I guess I should just disable UAC...

    Anyawy, thanks for all your testing and usefull informations.

    Friday, May 14, 2010 8:28 AM
  • Hi Cedric,

    You can create a new group, give it full control on the drive. Every time a new member join, add it to the new group.

    Or you can just add Users group and give it full control. New members should be joined to Users group automatically.

    Monday, May 17, 2010 2:35 AM
  • Hi,

    You are right, this is working correctly with another group.

    But then it does not seem logical to me that it doesn't work with the administrators group... If I add a user to the administrators group, he doesn't gain full control, if I add him to any other custom group with full control, he gains full control... this seems like a bug to me, doesn't it?

    Anyway I can now del with my problem, thanks again for your help !

    Monday, May 17, 2010 6:46 AM
  • Hi,

    Above all, it is a design that all accounts in Administrators group are working as standard users (except Administrator account).

    Here is my understanding: account in administrators group means it can "run as administrator" to do some jobs such as run programs, change file permission etc. But when accessing a root drive, it will not enable UAC to check if the account can "run as admin", so an "Access Denied" error occurs. We can find that this issue will not occurs on a folder --- UAC will occur when trying to access a folder with only "Administrators full control", if click Yes, the user will be joined to Security tab with full control permission.

    When we add the user or another group which contain the user to Security tab, it means the folder also can be accessed by the users in the group as standard user permission.

    Monday, May 17, 2010 8:58 AM
  • Ok I understand now.

    Thanks again Shaon ;)

    Monday, May 17, 2010 9:50 AM