is this a UAC feature?
Hello, Using windows 7 pro, machine is a domain member, my domain account is a member of the local administrators group on my workstation. I created a local folder and changed the nfts permissions so that only 'system' and the local administrators group have full control. While logged in as my domain user I was using filezilla for sftp access to a remote server and my downloads to this local folder were failing... but downloads to other local folders were ok. So when I went to check this local folder out, navigating to it using windows explorer, when I tried to open it I was greeted with a message that said "you don't currently have permission to access this folder. Click continue to permanently get access to this folder", and when I click continue it opens the folder... I checked the ntfs permissions after this and saw that it explicitly added my domain user account to the DACL. 1. I assume this has something to do with UAC? yes/no? 2. could anyone explain why it would do this? My account is already a member of the local administrators group which already has the appropriate permissions assigned... why is the OS forcing that DACL edit? What is the point? I'm all for the concept of UAC, I think it's needed. But this particular behavior has me scratching my head... what if I don't want my nfts perms that way? I mean, that actually goes against Microsoft's own best practice of adding users to groups, and assigning permissions to groups, not individual users. wtf? Could someone please enlighten me on this, or confirm that this really is just retarded?
July 14th, 2010 2:30pm

Hi daft, thanks for the reply, it's appreciated. Local folder was right off the root (c:\test). I did not run filezilla in administrative mode and I don't know that it's the latest version of filezilla. But I'm not interested in adjusting the client side of this equation. The purpose for my post is more to find out if this behavior is a UAC thing, and if so, why? The way I see it is, I tried to access a folder that I *do* have permissions on (via group membership in local administrators) and this access failed when done through an application, and when done directly through the OS (explorer.exe), I was stopped with a system message which after consenting to gaining access, it modified the folder's DACL (adding my user account), and that seems rediculous. I don't want my account in the DACL, it's redundant. If this behavior is by design, which I'm assuming it is as part of UAC, I'm just baffled as to why? But I have not done my homework on Vista/7 and UAC so maybe I'm missing something here, and I'm hoping to be enlightened by the community here, or, as I said, I guess just get confirmation that this is by design and ya, contrary to MS's own recommended best practices that have existed since windows 2000 (or earlier): assign users to groups, assign permissions to groups, not explicitly to individual users.
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2010 4:56pm

In message <f284f775-fcf4-4f01-b774-70e36a0f1ef7@communitybridge.codeplex.com> c0pe was claimed to have wrote: The way I see it is, I tried to access a folder that I do have permissions on (via group membership in local administrators) and this access failed when done through an application, and when done directly through the OS (explorer.exe), I was stopped with a system message which after consenting to gaining access, it modified the folder's DACL (adding my user account), and that seems rediculous. I don't want my account in the DACL, it's redundant. If this behavior is by design, which I'm assuming it is as part of UAC, I'm just baffled as to why? But I have not done my homework on Vista/7 and UAC so maybe I'm missing something here, and I'm hoping to be enlightened by the community here, or, as I said, I guess just get confirmation that this is by design and ya, contrary to MS's own recommended best practices that have existed since windows 2000 (or earlier): assign users to groups, assign permissions to groups, not explicitly to individual users. The thing about UAC is that in general you actually don't have your "Administrators" group membership unless you intentionally elevate an application by using the right-click Run-As-Administrator or an application requests elevation. Granting explicit rights to your account by name or to a group other than Administrators will give you rights at all time without explicit elevation.
July 15th, 2010 9:15am

thanks for the info Dave. That does help. If anyone has any further comments or details please do share. Thanks!
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2010 2:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics