File Permissions and You: UAC Edition

04fig07

If you’ve ever tried to access a folder (i.e. someone else’s profile in C:\Users) and still get prompted for UAC even though you’re logged in as a domain admin, this is by design and limitation. If the folder is using the built-in security groups for permissions (Administrators), you’re going to get the box, and you’re going to hit continue and it’s then going to go through every file and permanently add your account to the ACL for every file in the folder. Maybe this isn’t a big deal for a small user folder, but on something like a network share that is using DFS-R, this can ruin your day pretty quickly as Windows sets your permissions on every file across the entire file structure.

The quickest way to get your permissions straight is to add your account to a custom security group that does have access, as UAC does not prompt unless it’s trying to use the built-in administrator account. Yes, this can be disabled via registry and local security policy (https://www.virtualizationhowto.com/2015/07/windows-10-edge-opened-builtin-administrator-account/) , but you really shouldn’t be doing that.

An in-depth explanation on how UAC and ACLs work together can be found here: https://support.microsoft.com/en-us/help/950934/when-you-click-continue-for-folder-access-in-windows-explorer–your-us

That being said, a combination of a /r takeown (https://technet.microsoft.com/en-us/library/cc753024(v=ws.11).aspx) & a /t icacls (https://technet.microsoft.com/en-us/library/cc753525(v=ws.11).aspx) is always going to be faster than Windows trying to set permissions. It’s safer as well, as you can generally Ctrl+C the process for those commands and know what all you’ve affected as opposed to hitting continue on the UAC and being forced to cancel it and having your permissions in an inconsistent state requiring you to completely re-do the entire thing. Happy troubleshooting!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s