Dear All, I hope this is the right forum because this question would also be valid in the Windows 7 ones... I understand that UAC is a good idea security-wise, but I am seeing a behaviour that sounds too stupid to be true, so I would like to check I am not the only one. On a Windows 2008 (or Windows 7) system with UAC enabled, we have several folders owned by a non-administrator user, but to allow for backups and administrative access, SYSTEM and the local Administrators group are also granted full writing privileges over the folders and files. When I browse through the folders as the owner, I have no problems at all, but if I log in as one of the Domain Administrators (a group that is a member of the local Administrators group), when I try to browse to the folders I get asked if I want to grant myself future access to the folders (this requires a UAC elevation); if I answer yes, the system goes through the filesystem adding this administrator account to the ACLs of the folder (this is not a fast process; we are talking about 1000s of files). If I answer no, I get no access at all! Is this what should be happening? I would understand that it would require UAC privilege elevation to access the files as an administrator (even though the ACLs of the files should be granting any member of the Administrators group access without any special privileges), but that it would require for the ACLs of all the files and folders to be amended to be able to browse through them sounds ridiculous; haven't MS considered the multiplication of ACL entries that would happen if there were more than a couple of Administrators? And if we later want to remove Administrators' access to the files, not only would we have to remove the ACLs for the Administrators group, but for each of the individual administrator accounts that had ever gone through them! Someone hasn't thought this through... As I said, maybe I made a mistake in configuring the systems and this is all peculiar to my boxes (please let me know if it is so), but if it is not, could someone explain to me what is the point of this behaviour? Thank you for your help. Yours, FD

Hi FD, As far as I know, this is the normal behaviour of NTFS. What I am always unsure of when it does this operation, is what is it doing to the ownership? Surely there can only be one owner of a file/folder, so if it's giving me ownership, surely it's taking away ownership from the 'proper' owner. And will the 'proper' owner have to go through the same procedure to take ownership back? Or is it simply adding me to the ACL of every file in the folder? So I see your point, and I will watch this thread to see what others have to say.

Bigteddy, As far as I know, this is the normal behaviour of NTFS. What I am always unsure of when it does this operation, is what is it doing to the ownership? Surely there can only be one owner of a file/folder, so if it's giving me ownership, surely it's taking away ownership from the 'proper' owner. And will the 'proper' owner have to go through the same procedure to take ownership back? Or is it simply adding me to the ACL of every file in the folder? So I see your point, and I will watch this thread to see what others have to sa From what I have seen, it only adds an entry in the ACLs for the administrator user; the ownership does not change. This happens to every single file and folder under the folder we are trying to access. What I don't understand is why is it necessary to add the extra ACL if according to the existing ACL for the Administrators group, the administrator user should already have access. FD

Nor do I understand it. It was for this reason that I assumed it was an ownership issue, and not a permissions one.