Windows folder permissions, Administrators and UAC, what's the "right" way to deal with this?
I have a folder with permissions:
- Administrators (group): Full.
- J. Bloggs: Full.
I'm logged in as a member of the Administrators group.
I can't open the folder in Explorer because "you do not have permission".
I suspect this is because normal processes do not have the administrator permission token because of UAC, unless you also 'run as administrator'. But I can't do that for Windows Explorer, can I?
So my options seem to be: - Click the button to take ownership (ruins ownership, takes ages on large folders, doesn't solve for other administrators) - Add each individual administrator account with full permissions so it works without the admin token (administrative mess, what's the point in groups)
This is a really annoying design, I must be missing something. How is it supposed to work? What's the 'right' way for an administrator to get into a folder that administrators have access to?
The solution is to simply manage the server remotely. The UAC filtering of the administrator privileges only applies when you are accessing the local system.
With the release of Server Core, Microsoft has been strongly encouraging people to remotely administer servers instead of connecting to them directly to manage them.
Of course if you have a really small network this may not be feasible, so disabling the UAC is fine, or adjusting the filesystem permissions so that another group is used instead of administrators to grant permissions.
The best way is to define a new group containing members that you consider to be administrators of that folder. If you have an AD domain, you can create this group in AD and then add that group to the Administrators group (of the local machine) and avoid having to administer two groups.
Note: If you're trying this locally, remember you have to log off and back in again for the new permissions to take effect.
There are two options to work around this limitation easily:
- Use a file manager of your choice (total commander, eg) and run it as administrator (preferred)
- Disable the explorer UAC restriction: http://www.msfn.org/board/topic/144776-unable-to-open-an-elevated-windows-explorer-window/
Grant Read/Execute permission at the drive root the built-in principal called "Interactive". Then no change to UAC is required.
This way people logged into the desktop remotely or "locally" (VM console or physical screen and keyboard) can still browse files and run programs even with UAC enabled.
For example, you could remove the default "Users can read and create everything from the root" permission to lock down the server sensibly, but avoid the inability to effectively logon, browse files and navigate to where you want to change settings as administrator.
As soon as you open the security dialog and want to change permissions, a button appears to change the settings as administrator. So you get the best of both worlds:
- No restriction to "local" admin/operator browsing of the structure and content of the disks.
- Protection against changes by non-administrators.
The only difference to the standard permissions, is we are not saying that only local "Users" accounts can read everything, but only people granted access to the Windows console, i.e. that logically means "physical" (or virtual) "interactive" server access, which is not just granted to anybody. This may not work for terminal servers unless there is a better way to distinguish between those types of sessions (suggest edit if you know that).
Of course the first advice is use server core/remote admin whenever possible. But when not, this helps avoid the common end-effect that a server were the default users permissions are removed end-up with dozens of personal user account permissions applied all over the place. And it's not really the fault of the administrator, they are just trying to do their job with standard tools without any special complexity (just use File Explorer normally).
Another positive effect of this solution, is by being able to lock-down the root drive permissions and still have the server "usable" for the administrator logged onto the desktop, the need to disable inheritance to remove unwanted permissions from above often disappears. The fact that all users can read and create whatever they want below your shared path by default is a common reason to disable inheritance when nobody wants to deal with the "root" cause ;-)