Access Denied with Full Permissions
I have a Windows 2008R2 server and am logged in as a Domain Administrator and I am getting a "Access Denied" message when I try and save a file in a directory. The Directory is just an Application folder on the D: drive. I ran "Effective Permissions" for
my User and it says that I have "Full". There are no Shares involved - I am directly logged on to the server. I am just using Notepad to create a file and store it in the directory but I get the same results if I open an existing file, make a change and try
and save it.
I tried lauching Notepad, with the Run as Administrator and then I can save in the Directory. What am I missing?
Thanks.Roger
April 1st, 2011 1:09pm
So, as I see you need an elevated prompt to access the folder.
I think that the folder is used by an application and it is for that it requires the use of
run as an administrator so that you will avoid accidental changes.
I think that if you stop you application, you will be able to do what you want on the folder without having to use an evevated prompt.
Also, if you disable UAC, you will not require to use run as an administrator
but it is not recommanded for security reasons.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2011 2:20pm
Hi.
I would suggest you create another group that has write access to that folder and joining yourself and perhaps your entire group. I think this is what you are running in to, and just opening a text file isn't an administrative task:
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access
token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks (standard user applications).
http://technet.microsoft.com/en-us/library/dd446675%28WS.10%29.aspxOscar Virot
April 1st, 2011 6:09pm
Actually the application that I am using is just Notepad, so the application does not require Run as administratrator. For a variety of reasons, I would prefer not not disable UAC. I did a little more experimenting and found that the
problem seems to be related to the fact that I was getting access by being in the administrators group. Basically, I did was Oscar suggests below. When I put the user on the access list explicity all worked fine. With the User on the access list, you
didn't have to do a "Run As" even though the user was in the Administrators group. This also leads me to believe that the problem is not in UAC.
My question is why? I understand the two access tokens but when I put the user on the access list explicitly, I still have the two access tokens. Why does access a file require me to use my administrator access token unless I am on the Access list explicity?
Something just doesn't make sense to me.
RogerRoger
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 8:39am
Hi.
The UAC has two tokens, one with all.. and the regular one you use, which has removed the administrators group..
When you browse with explorer you use your regular one, you don't have your administrators group. So then you have the same level off access as if you didnt have the administrators group at all. That's why you need to disable UAC or have a "fileserver group"
I hope this is understandable.Oscar Virot
April 4th, 2011 8:49am
The fact is that explorer.exe is NOT uac-ready. Because of that, I always disable UAC. Otherwise, it's quite easy to damage permissions on folders, UAC does modify permissions instead of running exlplorer with elevated SID.
My suggestion is to always logon with limited user account, only logon as administrator when needed and certainly disable UAC.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2011 1:33pm
Thanks. The combination of answers makes sense and it appears to match the actual way it works.
Roger
April 6th, 2011 3:26pm