locked
User can't save a file despite Authenticated Users having Full Control. RRS feed

  • Question

  • This post is in regards to a new 64- bit Win 7 machine on a network of about 20 computers. On the c: drive of this machine, authenticated users have Full Control. However, when a regular user logs on and tries to save a file to the root of the c: drive, they get an error saying "A required privilege is not held by the client". Myself, on the other hand, can log into the machine and save without a problem. The only group I belong to to which he does not is Domain Admins. Obviously, that group is allowing me to save. But, if he is an authenticated user, why can't he save?
    Friday, September 24, 2010 8:33 PM

Answers

  • With UAC enabled, standard users (or domain users) have limited access to change the underlying operating system and core files (including the local filesystem).  Your options are:

    1. Make Domain Users a member of the local Administrators group (not recommended)
    2. Turn off UAC (not recommended)

    Why do Domain Users need full access to the local filesystem?  This is really not a recommended approach - a better way would be to uniformly provision local folders they can access which you can centrally manage with GPO.

    • Proposed as answer by Cloud_TS Monday, September 27, 2010 9:01 AM
    • Marked as answer by Linda Yan Friday, October 8, 2010 2:29 AM
    Sunday, September 26, 2010 10:40 PM

All replies

  • With UAC enabled, standard users (or domain users) have limited access to change the underlying operating system and core files (including the local filesystem).  Your options are:

    1. Make Domain Users a member of the local Administrators group (not recommended)
    2. Turn off UAC (not recommended)

    Why do Domain Users need full access to the local filesystem?  This is really not a recommended approach - a better way would be to uniformly provision local folders they can access which you can centrally manage with GPO.

    • Proposed as answer by Cloud_TS Monday, September 27, 2010 9:01 AM
    • Marked as answer by Linda Yan Friday, October 8, 2010 2:29 AM
    Sunday, September 26, 2010 10:40 PM
  • Thanks for the response. This has turned out to be one of those situations in which you curse the network admin before you who allowed a bunch of hullabaloo to take place. 

    So, the reason that someone needs to be able to save to the c: drive is that our custom built database from 2000, built on dbase with a sql backend, automatically saves most reports to that location. I'm relatively young so I can't say whether or not that was kosher in 2000 but as of 2010, that's a stupid thing to do. Unfortunately, it's too complicated and expensive to have the save location changed. Luckily, only certain users run reports in addition to the fact that we're upgrading our database in 6-months or so to an online crm. 

    Because of all of this, I'm going to add the Domain Users group to the Local Admins group on the pcs of those who need these reports. And in 6 months, when this silly database is taken out of its misery, I won't miss it one bit. 

    Again, thanks for your help.

    Wednesday, September 29, 2010 2:00 PM