Administrator File Modification Privilege

Windows Server 2008 apparently allows an application to somehow configure the folder so that any changes made within the folder require administrator level access. I login with an account that has administrator privileges, but is not the local administrator account. When I do so I find that I can't save changes to files opened within this folder. I know I can open the application as administrator or move the file out of the folder, make the change, then move it back in, but I'm hoping there is a better way short of disabling the protection entirely. Is there a way perhaps to remove it for the files I frequently edit?


Like Zoredache mentioned, this the same UAC feature in Vista. Your account that is in the Administrators group doesn't actually have elevated permissions until you ask for it on a per-application basis. When you open Explorer, it's just as if you're Administrators membership was gone. Subsequently, when you double click a file from that un-elevated Explorer window, the app that runs (like Notepad) is also un-elevated. Your options are basically the following:

  • Turning off UAC is one way to work around this, however it's not very smart if this really is a production server. UAC is there for a reason and now that you know what the issue is, you should at least try to work with it before you disable it outright.

  • Another solution is to grant write access to the Users group (or any other group your account is a member of) for the subset of files/folders you'll be accessing often.

  • If you don't have a regular set of files/folders you would know to grant access to in advance, you can also manually run an elevated instance of Windows Explorer. You would think this was possible by searching for it in the Start Menu and right-click to "Run as administrator". But for some odd reason, that doesn't work. Instead, the way I usually do it is run an elevated instance of cmd.exe and then use the following command to open an explorer window at the root of C.

    explorer /e,c:\

There may actually be easier ways to do this with the help of 3rd party tools or shell extensions, but this is the only way I know how to get an elevated Explorer instance out of the box.


I believe this behavior is a feature of UAC. When UAC is enabled basically windows doesn't allow your Administrator privileges to actually be used without a prompt. In some cases related to accessing shares or the filesystem it doesn't to display the prompt when it seems like it should with an application that can elevate privileges. Unfortunately I haven't found a way to get around the issue, and had to diable the UAC.

Anyway, I suggest you try disabling UAC. If it fixes your issue, you can decide if you want to leave it disabled or futz with the settings to see if you can actually get it to work right.

To turn off UAC (from here)

  1. Click Start, and then click Control Panel.
  2. In Control Panel, click User Accounts.
  3. In the User Accounts window, click User Accounts.
  4. In the User Accounts tasks window, click Turn User Account Control on or off.
  5. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
  6. Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK.
  7. Click Restart Now to apply the change right away, or click Restart Later and close the User Accounts tasks window.

Disable "Admin Approval Mode" in UAC for the administrators group. For the Built-in Administrator account it is disabled by default, but enabled for the administrators group.

  • Start > Administrative Tools > Local Security Policy > Local Policies > Security Options.
  • Then find (third from the bottom) "User Account Control: Run all administrators in Admin Approval Mode", right-click, properties, Disable.

You can see it disabled for the Built-in Admin account a few above (10 from bottom).