none
As administrator, I cannot edit certain files unless I add read/write/etc. for the Users group. RRS feed

  • Question

  • I'm administering a Subversion server running on Windows Server 2008 R2.  When I need to add access to SVN repositories, I need to edit a svnaccess.txt file.  This file sits under C:\Program Files(x86)\CollabNet\Subversion Server.  When I attempt to edit the file, though, I cannot save it unless I save it to a new file.

    My account is part of the local administrators group.  All of the folders and subfolders in the path have Full Control enabled for Administrators.  The file itself also has Full Control enabled for Administrators.  Yet, the only way I can edit this file is to add Modify and Write permissions to the local Users group even though my account is only part of the local administrators group.

    What's odd too, is that if I can edit these permissions I must have the appropriate administrator privileges.

    I searched for this a while back and recall seeing a hotfix for this as it was a known bug in Windows Server 2008, however, I cannot for the life of me find this link anymore nor do I see a fix like this on the hotfix spreadsheet.  I need to locate the hotfix that corrects this to provide to our system admins.  For some reason, they will only install hotfixes if a problem is identified.

    If anyone knows of the hotfix that corrects this issue, please let me know! :)

    Thank you!

    Monday, December 15, 2014 7:34 PM

Answers

  • Hi,

    As you said, if a user account belong to local Administrators account, when only Administrators group has permission on a folder, all admins except Administrator account will not have permission to access it.

    This is caused by UAC. All accounts in local Administrators group are actually working as standard accounts. When an Administrator action need to be performed, a prompt will occurs for permission to promote to admin permission. As only Administartors group has permission on a folder and the account we are using is working like a standard account, we will be denied from accessing.

    A workaround is to create a new group for all admins and give the group enough permission for accessing the target folder.

    Or you could run all accounts in Administartors group in Admin mode. See this article:

    UAC Group Policy Settings and Registry Key Settings

    http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, December 16, 2014 9:40 AM
    Moderator
  • Hi,

    Have you tried to manually add the account specifically into NTFS permissions with Full Control permission? 

    Or you can try to change the policies to enable Admin Approval Mode.

    As you did not receive elevate prompt, I assume it is also caused by UAC policy. See:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options | Scroll down to the bottom.

    "User Account Control: Run all administrators in Admin Approval Mode: Enabled"

    "User Account Control: Behavior of the elevation prompt for standard users: Prompt for Credentials: Enabled"

    A similar case could be found here:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/847c70a8-742f-4d9e-8fdd-bba0ad25ea13/all-users-required-for-folder-access?forum=winserversecurity


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, December 22, 2014 2:13 AM
    Moderator

All replies

  • Hi,

    As you said, if a user account belong to local Administrators account, when only Administrators group has permission on a folder, all admins except Administrator account will not have permission to access it.

    This is caused by UAC. All accounts in local Administrators group are actually working as standard accounts. When an Administrator action need to be performed, a prompt will occurs for permission to promote to admin permission. As only Administartors group has permission on a folder and the account we are using is working like a standard account, we will be denied from accessing.

    A workaround is to create a new group for all admins and give the group enough permission for accessing the target folder.

    Or you could run all accounts in Administartors group in Admin mode. See this article:

    UAC Group Policy Settings and Registry Key Settings

    http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, December 16, 2014 9:40 AM
    Moderator
  • Thank you for the reply.

    I'm still very confused by this.  If my account belongs to the Administrators group, and the Administrators group has Full Control over the directories and files, then it seems counter intuitive that I would need to add additional privileges to the Users group in order to edit the file.  Not really seeing in this case what the point of setting permissions for the Administrators group is.

    Tuesday, December 16, 2014 3:28 PM
  • Also, I do not receive a prompt to elevate permissions.  So this seems like it's not acting according to what the link you provided says it should.

    Thanks!

    Tuesday, December 16, 2014 3:33 PM
  • Hi,

    Have you tried to manually add the account specifically into NTFS permissions with Full Control permission? 

    Or you can try to change the policies to enable Admin Approval Mode.

    As you did not receive elevate prompt, I assume it is also caused by UAC policy. See:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options | Scroll down to the bottom.

    "User Account Control: Run all administrators in Admin Approval Mode: Enabled"

    "User Account Control: Behavior of the elevation prompt for standard users: Prompt for Credentials: Enabled"

    A similar case could be found here:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/847c70a8-742f-4d9e-8fdd-bba0ad25ea13/all-users-required-for-folder-access?forum=winserversecurity


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, December 22, 2014 2:13 AM
    Moderator
  • el tema es bien fácil, yo tuve problema con modificar detalles en la tarjeta de red desde el panel de control, y no se podía, me salía el mensaje: "La operación solicitada requiere elevación"

    y es que debes ir al servidor que configuras el active directory y al usuario que se creó

    click derecho / propiedades / pestaña "miembro de"

    boton "agregar" / boton "avanzadas"

    y adicionas:

    ADMINISTRADOR

    ADMINIST. DE DOMINIO.

    y para que se actualiza en la pc del usuario 

    en "ejecutar" escribes 

    gpupdate /forces

    para que se actualize, aunque mejor lo reinicias el pc del usuario y listo !

     
    Wednesday, April 24, 2019 4:37 PM