none
Windows server 2012 UAC Folder problem RRS feed

  • Question

  • Hi.

    There was anoying feature (some call it bug) when Windows 2008 R2 UAC blocks folder acces if You are member of local Administrators group and NTFS ACL is allowing only Adminitrators and other users /groups, but not You. There was possible to avoid this via turning off UAC and rebooting computer.

    Now, with Windows server 2012 (RTM, VL) problem is worse. You can turn off UAC (and reboot,i hope it does full reboot) but nothing changes. Still You are prompted

    "You don't currently have permissions to access this folder. Click Continue to permanently get access to this folder.   Continue(with Shield mark) Cancel"

    And if i click continue, my account is added to folder ACL.  Havent found any way to bypass it.

    This is idiotic. If we have multiple admisnitrators every admin SID is added (at some point). And people are coming and leaving - and ACE's remain. And btw - how it is related with "Use groups for granting permissions" best practice ? Only way is to create "File Administrators group" , make administrators member of this group and add this group to ACL. Lot, of lots of pointless work.

    Dear MS - how should we resolve it? Any secret policy/registry key, hotfix coming ?

    Friday, August 24, 2012 9:59 AM

Answers

  • Hovevwer, i find some interresting things on registry :)

    Even, after UAC WAS turned off (slider is set to Never Notify)  in registry  Enable LUA was 1 making LUA still active :( )

    So i changed it in registry 1 > 0 (surprise, surprise  - Windows Action center ballon popped up - suggesting reboot)

    And after reboot all is like requested  (like in 2008 ages ....)

    Case closed.

    Question remains - it is UI problem/bug not seting bit or someting more interresting. I would be grateful, if MS can shed light on it. I chacked it on 2008 R2 server where UAC was turned off via UI - and there EnableLUA was 0.

    Monday, August 27, 2012 11:24 AM
  • Hi Andreas,

    Thanks for sharing and I do agree on what you have mention. Please take a look on my screen. I only add those entry into registry without changing the LUA. While the first simple attempt I try by mapping to c$ with a user account with is from administrators group and it failed before I add the key. But, the existing administrator will work. After I add the key only, both of the account works.:)

    Your findings is pretty interesting:)


    CK

    Monday, August 27, 2012 12:23 PM

All replies

  • Hi there,

    You want to add this DWORD LocalAccountTokenFilterPolicy to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System with the value of 1. There is no reboot required. I hope this help.


    CK

    • Proposed as answer by PJBeee Wednesday, September 27, 2017 12:59 PM
    Monday, August 27, 2012 7:31 AM
  • Hi Andres,

    As you said, if a user account belong to local Administrators account, when only Administrators group has permission on a folder, all admins except Administrator account will not have permission to access it.

    This is because all accounts in local Administrators group are working as standard accounts. When an Administrator action need to be performed, a prompt will occurs for permission to promote to admin permission. As only Administartors group has permission on a folder and the account we are using is working like a standard account, we will be denied from accessing.

    A workaround is to create a new group for all admins and give the group enough permission for accessing the target folder.

    Or you could run all accounts in Administartors group in Admin mode. See this article:

    UAC Group Policy Settings and Registry Key Settings

    http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    • Proposed as answer by UldisP Tuesday, December 10, 2013 6:26 AM
    Monday, August 27, 2012 7:53 AM
    Moderator
  • No, it doesnt help. Tried close reopen explorer, signoff and restart. No differencies.

    BTW - UAC was turned off before.


    • Edited by Andres P Monday, August 27, 2012 11:02 AM
    Monday, August 27, 2012 10:57 AM
  • Yes, i understand how it works and what is behind.

    But as it worked in 2008 R2 (after turning off UAC, which is IMHO on server big troublemaker) so i expected it to work on 2012.

    At moment only working way is made new group and grant permissions to this group.

    Running in Admin mode is not working anymore, and this TN article doesnt apply to 2012.( at least - options described there are not effective)

    Monday, August 27, 2012 11:07 AM
  • Hovevwer, i find some interresting things on registry :)

    Even, after UAC WAS turned off (slider is set to Never Notify)  in registry  Enable LUA was 1 making LUA still active :( )

    So i changed it in registry 1 > 0 (surprise, surprise  - Windows Action center ballon popped up - suggesting reboot)

    And after reboot all is like requested  (like in 2008 ages ....)

    Case closed.

    Question remains - it is UI problem/bug not seting bit or someting more interresting. I would be grateful, if MS can shed light on it. I chacked it on 2008 R2 server where UAC was turned off via UI - and there EnableLUA was 0.

    Monday, August 27, 2012 11:24 AM
  • Hi Andreas,

    Thanks for sharing and I do agree on what you have mention. Please take a look on my screen. I only add those entry into registry without changing the LUA. While the first simple attempt I try by mapping to c$ with a user account with is from administrators group and it failed before I add the key. But, the existing administrator will work. After I add the key only, both of the account works.:)

    Your findings is pretty interesting:)


    CK

    Monday, August 27, 2012 12:23 PM
  • no its not a bug, all the windows 8 based system's run in admin approval mode (that's the issue you are having). the new "metro" interface/apps require the security mode to be enabled. the other reason why this is forced upon us; is because Microsoft wants everyone to be in the security mode, including technology professionals. I just disable it (on personal computers anyways), I am an admin; I don't need to be prompted all the damn time. my guess would be that server 2012 has a few of those surprises, where some features/roles wont work without being in admin approval mode.
    • Proposed as answer by IQ_IT Wednesday, October 10, 2012 11:08 PM
    • Unproposed as answer by IQ_IT Wednesday, October 10, 2012 11:08 PM
    Friday, September 14, 2012 9:03 PM
  • Hovevwer, i find some interresting things on registry :)

    Even, after UAC WAS turned off (slider is set to Never Notify)  in registry  Enable LUA was 1 making LUA still active :( )

    So i changed it in registry 1 > 0 (surprise, surprise  - Windows Action center ballon popped up - suggesting reboot)

    And after reboot all is like requested  (like in 2008 ages ....)

    Case closed.

    Question remains - it is UI problem/bug not seting bit or someting more interresting. I would be grateful, if MS can shed light on it. I chacked it on 2008 R2 server where UAC was turned off via UI - and there EnableLUA was 0.

    ^^^^^^^^^^^^  This is what I had to do to resolve the issue.  This worked perfectly.

    I also tried adding the LocalAccountTokenFilterPolicy REG_DWORD and that did nothing to resolve the problem.

    Microsoft seriously needs to fix this as this is an OS breaking bug for those that haven't stumbled upon this thread.  Make the UAC slider effective in disabling UAC.

    Wednesday, October 10, 2012 11:10 PM
  • To Disable UAC and not have a problem where Domain Admins or Members of the Administrators group are getting access denied when UAC is off and Administrators have Full NTFS permissions on the drive of folder disable the following two gpos:

    User Account Control: Admin Approval Mode for the built-in Administrator account : Disabled

    User Account Control: Run all administrators in Admin Approval Mode : Disabled

    Thursday, August 1, 2013 2:11 PM
  • The problem exists because Windows/File Explorer was designed for Windows 95 and has never supported being run in multiple security contexts in a user's session.  When an admin logs on to Vista/2008 or newer with UAC enabled, everything (including Explorer) runs with standard user rights.  The only way Explorer can show you protected folders is to give your user account rights to those folders.  Ugly and suboptimal, but that's what it is.  If you need to keep UAC enabled, then it's recommended that you not use Explorer to perform administrative tasks - there are lots of other ways to administer the file system without it.

    LocalAccountTokenFilterPolicy has nothing to do with this.  That setting determines what happens with administrative local accounts coming in over a network logon (e.g., a NET USE command from another system).

    Because UAC must remain enabled for "modern" apps on Win8/2012, the UAC's slider UI in Control Panel no longer turns off UAC, but instead sets it to "elevate without prompting".  To disable UAC, you need to use the security policy that sharky1o1 pointed out - UAC: Run all administrators in Admin Approval Mode - Disabled.  BEFORE DOING THAT, please carefully read KB 2526083 (http://support.microsoft.com/kb/2526083).

    • Proposed as answer by UldisP Tuesday, December 10, 2013 6:26 AM
    Wednesday, October 2, 2013 3:33 PM
  • Nice, thanks Aaron!

    So in theory it was not brightest idea to run explorer as shell and parent for user session processes.

    Thursday, October 3, 2013 12:28 PM
  • There is a security principal called INTERACTIVE.  You just need to give it Read/Execute permissions on folders where you want the logged on user to access.  In this way, if a user is logged in interactively (usually only your Administrators in the case of a server) they can navigate the folder structure via Windows Explorer, but are still required to elevate via UAC to modify any files or folders under it (perform a file operation) which will not add their individual SID to the DACL of the folder.
    Monday, October 14, 2013 5:39 PM
  • EnableLUA = 0 worked for me!  Great fix.  Stupid bug.

    I was experiencing total inability to open folders unless the Administrators group was set as the owner or the current admin account given Full Control.  So stupid!

    Saturday, March 1, 2014 3:44 AM
  • Changing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUE=0 worked for me to resolve this.

    What an unbelievably STUPID 'working as designed' function.  Most of 2012 I've been ok/happy with.  This is the first "WTF IS WRONG with this stupid OS" moment.

    Confirmed that without manually flipping the 1 to a 0 on the EnableLUA setting the server will always force you to add your own admin username explicitly to the NTFS permissions before you can apply anything.  Best practices and group membership be damned.

    • Proposed as answer by Leo Vancouver Wednesday, November 12, 2014 7:28 PM
    Thursday, March 6, 2014 3:47 PM
  • I'm having this very same problem.  So much for groups if windows is just  going to add every user who needs access.  What a maintenance nightmare.   I hope someone comes out with a new way to store files rather than using windows.  A new security model needs to be developed that can do a lot of what Novell did but with the ease of use for everyday users & maintenance.   Maybe the Linux community will come up with something.

    One can only hope.   May be the next version of windows will have something better.

    Monday, June 2, 2014 5:57 PM
  • Rather than creating a new group, I suggest using the INTERACTIVE security principal and giving it READ/EXECUTE permissions.  This allows users that are logged in interactively (usually only your Admins) to traverse and read the folder, but will still prompt for elevation when attempting to modify files within the administratively locked structure.
    • Proposed as answer by Andrew Westh Tuesday, March 10, 2015 5:47 PM
    Friday, June 20, 2014 4:09 PM
  • To Disable UAC and not have a problem where Domain Admins or Members of the Administrators group are getting access denied when UAC is off and Administrators have Full NTFS permissions on the drive of folder disable the following two gpos:

    User Account Control: Admin Approval Mode for the built-in Administrator account : Disabled

    User Account Control: Run all administrators in Admin Approval Mode : Disabled

    I am bring up first Win 2012 server. I always move wwwroot to D: drive as default IIS root. I copied the iisstart and other files over. I tried to edit the iisstart.htm so I could mod it to test and make sure web root is changed. I am a doman admin. Doman admins are in the local administrator group. Both local admin group and domain admins group have been given full rights on NTFS drive / and this folder.

    I could open the iistart.htm in Notepad, change it, BUT COULD NOT SAVE IT. When I clicked to save, it would trigger a save as dialog, and if I tried to save over itself, Windows throughs an access denied error.

    I found this thread, and implemented the two changes in the quoted section above to local security policies. Well, the first was already set to disabled, I assume automatically when I used the UAC slider in User Accounts to turn it off. But I had to disable the second option.

    I just went back after rebooting, opened the iistart.htm, and was able to open, edit, and do simple save of the file with no access denied message.

    So obviously this affects more than just drilling into a folder. Note that before the change I could copy files into the folder. I could create a new file in the folder. But I was denied access to edit and save the copied iisstart.htm file.

    Tuesday, September 16, 2014 5:37 PM
  • using INTERACTIVE permission does work, but to be clear, I've found that all you really need is to set the security permission to: INTERACTIVE = List Folder Contents, and then Domain Admins = Full Access works.

    FilterAdministratorToken = 0 disabled [User Account Control: Admin Approval Mode for the built-in Administrator account]

    EnableLUA = 1 enabled [ User Account Control: Run all administrators in Admin Approval Mode ]

    Thursday, November 6, 2014 2:56 PM
  • Yep, that was it.  Driving me crazy.  This one server did not get the UAC disable script and caused a big headache.

    Ben

    Friday, January 15, 2016 3:05 AM
  • This is definitely the best answer, as it explains the proper workaround to this issue that isn't exposing the server to any additional risk.
    Thursday, August 25, 2016 3:25 PM
  • Hi guys,

    Read this, is the official explanation about this behavior.

    When you click Continue for folder access in Windows Explorer, your user account is added to the ACL for the folder

    Best regards,

    German

    Thursday, May 25, 2017 1:23 PM
  • Hi Andres,

    I research this issue and I achieve a solution. 

    Click in this link I've posted all you need to do in order to solve this issue.

    You Dont Currently have permissions - LINK

    Cheers,

    German

    Monday, June 12, 2017 10:54 AM
  • The above solution (LocalAccountTokenFilterPolicy=1) worked fine for me, with no other registry changes made.

    I had previously changed the entry "EnableLUA" (under the same key) from 1 to 0, which did work, but apparently this is a much broader and less-secure fix. After creating the above-mentioned entry, I changed "EnableLUA" back to 1, and all is still fine.

    Hope this is helpful.




    • Edited by PJBeee Wednesday, September 27, 2017 1:01 PM
    Wednesday, September 27, 2017 12:59 PM
  • To avoid changing permissions in a folder that’s accessible only to administrators, consider using another program that can run elevated instead of using Windows Explorer. Examples include Command Prompt, PowerShell, and the Computer Management MMC snap-in for share management.

    Workaround 3
    If you have an application-specific folder that’s locked down to prevent ordinary users from accessing it, you can also add permissions for a custom group and then add authorized users to that group. For example, consider a scenario in which an application-specific folder grants access only to the Administrators group and to the System account. In this situation, create a domain or a local AppManagers group, and then add authorized users to it. Then, use a utility such as icacls.exe, the security tab of the folder’s Properties dialog box, or the PowerShell Set-Acl cmdlet to grant the AppManagers group Full Control of the folder, in addition to the existing permissions.

    Users who are members of AppManagers will now be able to use Windows Explorer to browse the folder without UAC having to change the folder’s permissions. Be aware that this alternative applies only to application-specific folders. You should never make any permission changes to folders that are part of the Windows operating system, such as C:\Windows\ServiceProfiles.

    More info in the official Microsoft KB and you can find it in this link. Microsoft KB950934

    Thursday, October 5, 2017 9:37 AM
  • I agree, workaround 3 is working fine. Above issue is only applied to members of builtin administrators group. If you create a custom group, add it to local administrators group and to the folder ACL, members of this group will get access normally as per their security descriptor.
    Friday, April 13, 2018 4:06 PM