none
You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder.

    Question

  • When locally logged on a Windows 2008 R2 standard server and try open a protected folder, you get the following message:

    You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder.

     

    This is a follow-up to this thread .

    This is creating a lot of problems for us. We have a lot of admins member of Domain Admins using their separate Admin-enabled accounts. Whenever they enter a folder where the local group Users or everyone don't have access, the account cannot CD into that dir without adding its SID to the ACL of ALL FILES below in the structure, even though the membership Domain Admins has full access on the folder, and the account logged on has Domain Admins access.

    I refuse to disable UAC just because of this on all my 80+ Windows 2008 servers! What is this strange behaviour?

    Problems

    • Admins get confused and have problems understanding this behaviour, leading them to use the Administrator account instead thus lowering security
    • Clicking "Continue" on large folders adds the SID to all folders. When doing this on large folders it make take several days before a ACL traversal is complete
    • Admins might click abort on this ACL traversal, thus messing up ACLs on file structures

     

    Why, oh why?

    • Disabling UAC is out of question
    • We might use UNC paths for some activities, but operations like delete or similar takes ages when using remote tools, especially on large structures, thus this "workaround" is impossible for some tasks.

     

    • Edited by HAL07 Monday, June 7, 2010 12:39 PM
    Thursday, June 3, 2010 5:30 PM

All replies

  • I don't understand this strange behaviour either. I just changed the UAC Policy "Behaviour of the elevation prompt for administrators in Admin Approval Mode" to "Elevate without prompting" and the behaviour didn't change (though I haven't rebooted the server but just ran gpupdate /force).

    It's absolutely not reasonable that users included in the local admin group see this prompt! This just has to be changed! (or are we all missing something??)

    Monday, June 7, 2010 8:53 AM
  • Yes... the situation you describe is something I come up against regularly.

    It is a painful issue. Microsoft need to make  Explorer.exe so that it can run successfully in separate processes.

     That way you would be able to do a "Run as Administrator" and obtain a Windows Explorer window with a 'full administrator access token'. Then you would be  able to easily perform certain functions like manage file share file structures and so on, without having to have explicit user permissions added.

     


    Matt
    Tuesday, October 26, 2010 6:17 AM
  • Please read my blog post which describes what's going on and how to possibly elevate Explorer.exe (not supported though).

    http://www.theexperienceblog.com/2010/09/18/case-of-the-mysterious-issues-in-windows-7-and-windows-server-2008-r2/


    Blogging about Windows for IT pros at www.theexperienceblog.com
    Tuesday, October 26, 2010 6:22 AM
  • I've been successfully using the program Total Commander as my file explorer recently. This supports running elevated. Do like me and register it so he can continue programming it!

    As for this explorer issue, I don't think there will be an elevate solution for this. The NTFS is just not compatible with the security required, and I fear microsoft will have this problem a long time now. Increasing for each TB of data we add. I fear ACL's out of sync (aborted ACL promotions) might be a major problem in the future.

    Tuesday, November 2, 2010 1:14 PM