Wednesday, February 17, 2016

Windows folder permissions, Administrators and UAC, what's the "right" way to deal with this?



I have a folder with permissions:





  • Administrators (group): Full.

  • J. Bloggs: Full.



I'm logged in as a member of the Administrators group.



I can't open the folder in Explorer because "you do not have permission".




I suspect this is because normal processes do not have the administrator permission token because of UAC, unless you also 'run as administrator'. But I can't do that for Windows Explorer, can I?



So my options seem to be:
- Click the button to take ownership (ruins ownership, takes ages on large folders, doesn't solve for other administrators)
- Add each individual administrator account with full permissions so it works without the admin token (administrative mess, what's the point in groups)



This is a really annoying design, I must be missing something. How is it supposed to work? What's the 'right' way for an administrator to get into a folder that administrators have access to?


Answer



The solution is to simply manage the server remotely. The UAC filtering of the administrator privileges only applies when you are accessing the local system.




With the release of Server Core, Microsoft has been strongly encouraging people to remotely administer servers instead of connecting to them directly to manage them.



Of course if you have a really small network this may not be feasible, so disabling the UAC is fine, or adjusting the filesystem permissions so that another group is used instead of administrators to grant permissions.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...