none
Access Denied-Permissions on 2008 R2 Domain Controller with UAC enabled

    Question

  • Hello,

    In a 2008 R2 Forest/Domain, my account is member of the Builtin Administrators Group in the Domain and the Domain Admins Group.

    I logon to a 2008 R2 Domain Controller with UAC enabled with this account.  I right-click and select Run as Administrator to start a Windows Explorer session.  I navigate to a xml file in the Program Files folder, attempt to edit and save, but get an Access Denied error.  I right-click and select Run as Administrator to start a Command Prompt session.  I navigate to the same xml file in the Program Files folder, attempt to edit and save, and now I am successful!  I save the file with the change!

    Why is this?  Thanks in advance!

     


    Thanks for your help! SdeDot
    Thursday, October 20, 2011 11:59 PM

Answers

  • I think I figured out what my issue is.

    When I started Windows Explorer as Administrator, I navigated to a XML file, then used Notepad to Edit the file, however I did not run Notepad as Administrator.  When I run Notepad as Administrator, I can edit and save the file with no problem.  So I think the issue is I ran Windows Explorer as Administrator, but then the program I used to edit and save the file (Notepad) I did not Run as Administrator.

    Thanks all for your comments.


    Thanks for your help! SdeDot
    • Marked as answer by SdeDot Monday, October 24, 2011 1:09 PM
    Monday, October 24, 2011 1:09 PM

All replies

  • Hi,

    Give a try to resolve the problem, you will need to perform the following steps:

    Force Windows Explorer to generate a new process ID, using one of the following methods.

    a. Open Windows Explorer
    b. Select Tools > Folder Options...
    c. Click the View tab
    d. Check the option Launch folder windows in a separate process

    OR

    Follow the steps outlined in the below Microsoft KB Article:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;156366

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Friday, October 21, 2011 2:19 AM
  • It seems that the ownership of the Program Files folder is with TrustedInstaller.You need to take the ownership of the Program Files folder and add the user with full control and then try to edit the xml file and save.

    Note:In the Windows Server® 2008 and Windows Vista® operating systems, most of the operating system files are owned by the TrustedInstaller security identifier (SID), which is the only SID that has full control over them. The purpose is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. To delete an operating system file, you need to take ownership of the file and then add an access control entry (ACE) on the file that permits you to delete it.

    Reference KB:http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspx

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Friday, October 21, 2011 4:03 AM
  • By default, the administrators(domain admin and enterprise admin) are too covered under UAC and this is for enhanced security. You have to run specific apps/exe to allow to be execute using run as and there is no exception apart from disabling UAC which is not recommended.

    http://technet.microsoft.com/en-us/library/cc709691%28WS.10%29.aspx

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/ 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Friday, October 21, 2011 6:12 AM
    Moderator
  • All,

    Thanks for the replies, however I dont think I understand from these replies why Im seeing the behavior I outlined in my queston.

    Sandesh: As outlined in my question, I dont change the ownership of anything, but can edit and save the file using an elevated Comman Prompt whereas I can not edit and save using an elevated Windows Explorer.  Why is this?

    Also, the ownership of the Program Files folder is TrustedInstaller, however the ownership of the folders and files beneath Program Files is 'System' with the exception of the file I edited and saved with a elevated Command Prompt as Administrators.  Why is this?

    Thanks in advance.


    Thanks for your help! SdeDot
    Friday, October 21, 2011 1:35 PM
  • All,

    Thanks for the replies, however I dont think I understand from these replies why Im seeing the behavior I outlined in my queston.

    Sandesh: As outlined in my question, I dont change the ownership of anything, but can edit and save the file using an elevated Comman Prompt whereas I can not edit and save using an elevated Windows Explorer.  Why is this?

    Also, the ownership of the Program Files folder is TrustedInstaller, however the ownership of the folders and files beneath Program Files is 'System' with the exception of the file I edited and saved with a elevated Command Prompt as Administrators.  Why is this?

    Thanks in advance.


    Thanks for your help! SdeDot


    Hi,

    Did you try the suggested Explorer option? you are receiving Access Denied error from Windows Explorer, but not from the command line, might be a issue with EXPLORER.EXE either its corrupted or infected.

    or

    Is that XML a system file?

    Windows system files are owned by the TrustedInstaller service by default, and Windows File Protection will keep them from being overwritten.If you need to delete or overwrite a system file, you cannot delete system files, even as administrator.

    perform below steps and try to edit:
    1. open CMD
    2. Take ownership of the file, you’ll need to use the takeown command. Here’s an example:
    takeown /f C:\Windows\en-US\abc.xml
    3. That will give you ownership of the file, but you still have no rights to delete it. Now you can run the cacls command to give yourself full control rights to the file:
    4. cacls C:\Windows\en-US\abc.xml /G user_name:F

    At this point, open explore > file path > you should be able to edit the file. If you still can’t do so, you may need to reboot into Safe Mode for Windows Explorer session

    Also check this if it works for you: http://answers.microsoft.com/en-us/windows/forum/windows_7-files/windows-trusted-installer-denying-access-to-files/5203914d-9357-4b71-a4c5-a2d11d392fff

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 22, 2011 7:20 AM
  • I think I figured out what my issue is.

    When I started Windows Explorer as Administrator, I navigated to a XML file, then used Notepad to Edit the file, however I did not run Notepad as Administrator.  When I run Notepad as Administrator, I can edit and save the file with no problem.  So I think the issue is I ran Windows Explorer as Administrator, but then the program I used to edit and save the file (Notepad) I did not Run as Administrator.

    Thanks all for your comments.


    Thanks for your help! SdeDot
    • Marked as answer by SdeDot Monday, October 24, 2011 1:09 PM
    Monday, October 24, 2011 1:09 PM
  • Hello

    1.Run elevated command

    2.Go to the directory of the file you would like to edit by cd \program files\.......

    3. Hit notepad filename.xml

    change and there you can save it

    Wednesday, August 29, 2012 11:35 AM