is this a UAC feature?
Hello,
Using windows 7 pro, machine is a domain member, my domain account is a member of the local administrators group on my workstation. I created a local folder and changed the nfts permissions so that only 'system' and the local administrators group have full
control. While logged in as my domain user I was using filezilla for sftp access to a remote server and my downloads to this local folder were failing... but downloads to other local folders were ok. So when I went to check this local folder out, navigating
to it using windows explorer, when I tried to open it I was greeted with a message that said "you don't currently have permission to access this folder. Click continue to permanently get access to this folder", and when I click continue it opens the folder...
I checked the ntfs permissions after this and saw that it explicitly added my domain user account to the DACL.
1. I assume this has something to do with UAC? yes/no?
2. could anyone explain why it would do this? My account is already a member of the local administrators group which already has the appropriate permissions assigned... why is the OS forcing that DACL edit? What is the point?
I'm all for the concept of UAC, I think it's needed. But this particular behavior has me scratching my head... what if I don't want my nfts perms that way? I mean, that actually goes against Microsoft's own best practice of adding users to groups, and assigning
permissions to groups, not individual users. wtf?
Could someone please enlighten me on this, or confirm that this really is just retarded?
July 14th, 2010 2:30pm
c0pe,
Can you give the exact locations of the local folders where you had the permission problem? And the folders that work fine for you?
Did you try to run FileZilla in administrative mode (right click on the filezilla executable or shortcut and choose the option "run as administrator")?
And my last question did you try to install the latest fillezilla version?
Kind Regards
DFTIM me - TWiTTer: @DFTER
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2010 2:55pm
Hi daft, thanks for the reply, it's appreciated.
Local folder was right off the root (c:\test). I did not run filezilla in administrative mode and I don't know that it's the latest version of filezilla. But I'm not interested in adjusting the client side of this equation. The purpose for my post is more
to find out if this behavior is a UAC thing, and if so, why?
The way I see it is, I tried to access a folder that I *do* have permissions on (via group membership in local administrators) and this access failed when done through an application, and when done directly through the OS (explorer.exe), I was stopped with
a system message which after consenting to gaining access, it modified the folder's DACL (adding my user account), and that seems rediculous. I don't want my account in the DACL, it's redundant. If this behavior is by design, which I'm assuming it is as part
of UAC, I'm just baffled as to why? But I have not done my homework on Vista/7 and UAC so maybe I'm missing something here, and I'm hoping to be enlightened by the community here, or, as I said, I guess just get confirmation that this is by design and ya,
contrary to MS's own recommended best practices that have existed since windows 2000 (or earlier): assign users to groups, assign permissions to groups, not explicitly to individual users.
July 14th, 2010 4:56pm
In message
<f284f775-fcf4-4f01-b774-70e36a0f1ef7@communitybridge.codeplex.com> c0pe
was claimed to have wrote:
The way I see it is, I tried to access a folder that I do have permissions on (via group membership in local administrators) and this access failed when done through an application, and when done directly through the OS (explorer.exe), I
was stopped with a system message which after consenting to gaining access, it modified the folder's DACL (adding my user account), and that seems rediculous. I don't want my account in the DACL, it's redundant. If this behavior is by design, which I'm assuming
it is as part of UAC, I'm just baffled as to why? But I have not done my homework on Vista/7 and UAC so maybe I'm missing something here, and I'm hoping to be enlightened by the community here, or, as I said, I guess just get confirmation that this is by design
and ya, contrary to MS's own recommended best practices that have existed since windows 2000 (or earlier): assign users to groups, assign permissions to groups, not explicitly to individual users.
The thing about UAC is that in general you actually don't have your
"Administrators" group membership unless you intentionally elevate an
application by using the right-click Run-As-Administrator or an
application requests elevation.
Granting explicit rights to your account by name or to a group other
than Administrators will give you rights at all time without explicit
elevation.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2010 9:15am
thanks for the info Dave. That does help.
If anyone has any further comments or details please do share. Thanks!
July 15th, 2010 2:02pm