Integrity level and file access
Hi! Sorry for bad english at first. i have some misunderstandings in following test. i created two local users, admin1 and admin2. then makes them members of local admins group. after that an admin1 creates a directory mkdir c:\testdir and file echo test > c:\testdir\testfile.txt. as a result i have a file and in the dacl of that file i see an builtin\administrators full access. but admin2 have only read access but not write. if i understand correctly thats because of integrity level of the file. but when i change integrity level of that file using icacls ... /setintegritylevel low i still have no write access. why so? , http://eosfor.blogspot.com MCP, MCDBA, MCSA, MCSE
August 25th, 2011 9:01am

I'm assuming you're doing this on 2008 R2? The "Administrators" group is treated differently. Admin2 does not have explicit permission to the file (except for "Administrators"), and since you cannot simply elevate Explorer.exe, it ends up with read permission only. If you add Admin2 to another group with modify permissions, it should be able to edit the file. Otherwise you can elevate Notepad.exe with Admin2 and open the file that way. Andreas Hultgren MCTS, MCITP http://ahultgren.blogspot.com/
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2011 3:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics