Hello,
1. That's correct.
2. That's correct.
3. Sounds like a bug.
4. Yes, permissions for the 'Administrators' group applies to all members
of that group. However, programs that are not running with admin rights
(like Explorer) don't recognize your administrator group membership for
allow permissions (but they do for deny ones).
5. You might be able to edit group memberships from the legacy Windows XP
user accounts control panel:
- click start
- type: control userpasswords2
- press enter
pre-6. This "Click here to get access to this folder" prompt does not
start explorer with admin privileges (as one might reasonably expect).
Instead, it does what you have observed, gives your user account read access
using ntfs permissions (another unfortunate decision - assuming read access
is OK for all scenarios).
6. Conceptually, the permission was only set at the folder level.
However, due to the way security permissions are implemented, the change
must be propagated down to the children. If there were files inside that
folder that did not inherit permissions from the parent, then those files
security permissions would not be changed.
7. Correct.
8. I am confident this will be addressed in the next version of Windows.
9. Explorer doesn't play nice with elevation.
- JB
<> wrote in message
news:6da52469-f4f4-4e8b-9e44-...
> I seem to have accounts with unusual statuses. I don't know if it
> would be considered a bug that these situations could be reached, or
> if they make sense at all. Read on...
>
> Note: I have placed numbers in square brackets after each of my
> questions or implied-questions. This will make it easier for you to
> respond to particular questions without having to go to the trouble of
> quoting sections. Thanks in advance.
>
> =================
> I have 2 administrator accounts (Admin1, Admin2) and 2 standard
> accounts (User1, User2). The computer runs Vista Premium, and I
> haven't installed SP1.
>
> The first issue is being able to access the files of another account.
> I understand that, technically. these permissions can be modified to
> do whatever you want, but I thought that the defaults were that admins
> could access all users' files, while standard users could only access
> their own files. [1] My 2 admin accounts can't access files of
> User2. If I click on folder C:\Users\User2 , it tells me, "You
> don't currently have permission to access this folder. Click Continue
> to get access to this folder.".
>
> I know my admin accounts are admin accounts because it lets me elevate
> without typing a password. (That's proof, right? [2]) In Admin1, I
> decided to double-check my account type, so I opened Control Panel's
> "User Accounts". I clicked "Change your account type", elevated
> (without needing a password), and surprisingly I am listed as a
> Standard User! (There is a radio button checked next to "Standard
> User".)
>
> How can that be? How can I be listed as a Standard User if I am an
> admin? Is this a bug? [3] I never changed this status. Even if I
> could, it should take away my elevation rights...
>
> I might be able to fix this by selecting "Administrator" and changing
> the account type, but I want to preserve the evidence until some
> people answer. :-)
>
> On my second admin account, I don't have this situation. The account
> is listed as an admin in the control panel. But I still can't access
> the other accounts in Windows Explorer.
>
> So I checked the user permissions on the folder C:\Users\User2 . It
> lists the Administrators group (and User2 and SYSTEM) as having full
> control, but does not list Admin2 directly. This should be fine, as
> Admin2 should be a member of the Administrators group, right? [4] By
> reading help, I found out that I can't manage group membership on
> Vista Premium (except by choosing Standard or Administrator).
>
> So this seems to be a second anomaly / bug. [5]
>
> ===============
> On a related note, the admin accounts do have access to the other
> standard account (User1). Here, I will explain why...
>
> The third item I want to mention is not really a bug, but it is a
> misleading message that has fairly serious consequences. As I
> mentioned above, if I click on folder C:\Users\User2 , it tells me,
> "You don't currently have permission to access this folder. Click
> Continue to get access to this folder.". If I try this from a
> Standard account, I get the same message, but need to elevate with a
> password. Now, my impression was that if I "Continue" from the user
> account, it will just run Windows Explorer as administrator, and will
> thereby get permission -- JUST WHILE THE WINDOW IS OPEN.
>
> But what actually seems to happen is that it changes the permissions
> (permanently) on the folder to add the current user as having read
> permission !! This is totally unexpected, and the consequence is that
> the user will be able to read the other user's account from then on!
>
> (Since, in the past, I have done this from both admin accounts to
> access User1, this change was made, and now I have access. Admin1 and
> Admin2 are listed as having read permission on User1's folder.)
>
> Side point: It takes a relatively long time (60 seconds) to complete
> this operation, so presumably it modifies the permissions of each
> individual file and folder. Since permissions are inherited, I would
> have thought that only the top-level folder needs to be changed, and
> that permissions are calculated on the fly, but I guess not. Maybe
> it's faster for each item to have its own permission list. Can anyone
> confirm that this is correct? [6]
>
> I guess I can undo this change by deleting the user from the
> permissions list. Hopefully, I would only need to do this for the top-
> level folder [7]. But I think this is most unintuitive behaviour.
>
> So, I guess my questions are:
>
> - Do you agree that this is unexpected behaviour? Shouldn't it warn
> that this change is permanent? [8]
>
> - Why doesn't it just elevate the Explorer session, to get temporary
> access? [9]
>
> (For those who are looking for footnotes to correspond to the
> bracketed numbers, read the second paragraph. :-) )
>
> Thanks
Similar Threads
Linear Mode
