Best practice: traversal of all folders.

Discussion in 'Windows Vista Installation' started by Manuel Lopez, Nov 25, 2006.

  1. Manuel Lopez

    Manuel Lopez Guest

    I want to have full control access to all files and folders, using my
    administrator account (or rather the "admin-lite" account vista seems to set
    up by default). However, using that admin-lite account, I don't get an
    elevation prompt when trying to navigate through the Documents and Settings
    folder (for example). I just get "Access is denied."

    I'm not familiar with how UAC is working. Is this default account, which
    Vista calls an administrator account, really an administrator account? (It
    doesn't look that way, since Documents and Settings gives full control to
    the administrators group, but I am unable to traverse it.) Do I solve it by
    having the admin-lite account take ownership, or explicitly give it full
    control, apart from the adminstrators group? or is that not recommended?
    (If there's a good website explaining this, please post the url.) Thanks.
     
    Manuel Lopez, Nov 25, 2006
    #1
    1. Advertisements

  2. The admin-lite account or psuedo-admin as I like to call it, is not a member
    of the administrators group until an explicit elvation has been performed.
    A psuedo-admin recieves two user security tokens a standard token and an
    administrator token, the standard token is always used unless administrator
    privilages have been requested when requested vista displays the
    confirmation dialog and only then allows use of the administrative token.
    Windows Exporer however cannot be run as administrator and never requests
    admin permissions for file management activities and therefore never
    receives an administrator token, as a result windows explorer is never a
    member of the administrators group. You can use other applications such as
    cmd shell by right clicking and run as administrator, but if you want to use
    windows explorer you must add your user account to the ACL, which
    effectively grants your standard user token permission access to the files
    without administrative privilages.

    HTH

    - Kurt
     
    Kurt Harriger, Nov 25, 2006
    #2
    1. Advertisements

  3. Manuel Lopez

    Jeff Guest

    The documents and settings" folder"; is not like it seems.It's not a folder.
    It's not at all like xp, in fact; any "folder" that you see with an arrow
    like a shortcut; is actually a junction.
    Not a folder at all; but a way to migrate stuff from xp to the actual
    folders that Vista uses.
    Anything like My documents, My pics,My whatever; isn't a folder at all.Looks
    like one; but it's not.
    And you will get access denied; admin or not, because they aren't folders.
    They are junctions.
    Ya might want to post this in Vista file management; and Jimmy B in
    particular; is thoroughly versed in these junctions
    He's great with Vista file and permissions

    Jeff
     
    Jeff, Nov 25, 2006
    #3
  4. Windows Exporer however cannot be run as administrator and never requests
    This statement is incorrect. You can put a shortcut in the Quick Launch
    Tray to Windows Explorer and then change it to run as administrator. I
    would only use this shortcut when you know you are doing admin tasks and not
    routine user operations. I like the following options on the Windows
    Explorer command line: /e,/n,c:\, assuming that C:\ is the location of your
    OS install. I also have a cmd.exe shortcut in the Quick Launch Tray that is
    also admin with the following option: "-k cd \" as this one will put you in
    the root directory and not system32.

    UAC is not that hard. As software is updated to work with Vista more and
    more will properly segregate their tasks that require admin access to
    properly manifested programs that will automatically ask for those
    permissions. You will still get the UAC prompt, but you will know that
    something you did requires admin access. If that is a surprise to you, you
    should not grant it permission. This type of security is very old. It
    dates from the Unix world of 25 years ago. Linux does this all the time.
    It has taken 25 years for Microsoft to implement something with security.
     
    David J. Craig, Nov 26, 2006
    #4
  5. Manuel Lopez

    Jimmy Brush Guest

    Hello,

    As Jeff pointed out, the reason access is denied to Documents and Settings
    is because it is a junction - basically a pointer to the Users folder, which
    replaces Documents and Settings in Vista. There are very good reasons why
    this security restriction was put in place, and unfortunately Explorer
    doesn't help you out very much in this regard.

    You should not change the security on these junctions. You will need to
    learn and use the new Windows Vista locations instead.

    As Kurt pointed out, admin accounts are basically split right down the
    middle. All applications run as if they were a standard user - they can only
    use admin powers when they request the power from you via a UAC prompt.

    Here's how file operations work in Explorer using this "admin-lite" mode.

    You can do anything that your username explicitly has permission to do. If
    you try to do something that you cannot explicitly do, there are a few
    things that may happen:

    1) You are browsing into a folder that you don't have access to

    Windows will ask you if you want to "elevate" to full admin power and then
    give yourself explicit permission to access the folder. This changes
    security on the folder/files within that folder to allow you read access. If
    not even the "full admin" power is enough to change the security on the
    folder, you will not be able to access it. This could be the case if the
    administrators group does not have permission to change the folder. In this
    case, you would have to take ownership of the folder and possibly child
    folders/files first and then try to access the folder.

    2) You are doing a folder/file operation that the administrators group has
    permission to do, but you do not

    Windows Explorer will tell you that the operation is restricted and that you
    need admin privileges to complete the operation. You will then go thru a UAC
    dialog and use your "full admin" power to complete the operation. The "full
    admin" power is only good on that one specific operation, and does not apply
    to any further operations.

    3) You are doing a folder/file operation that the administrators group DOES
    NOT have permission to do

    You will receive an access denied error - neither you explicitly nor the
    administrators group have permission. You will need to change the
    permissions on the file/folder manually to give either yourself or the
    administrators group permission. You may need to take ownership of the
    file/folder in order to do this.
     
    Jimmy Brush, Nov 26, 2006
    #5
  6. I had actually tried to run windows explorer as administrator by right
    clicking on widnows explorer in start->accessories, Vista prompts for admin
    credentials and opens a new window but when I tried to access the folder I
    previously created with all acls except administrators removed I recieved
    another prompt. The edit security button no longer had a shield icon and
    allowed me to make some ACL changes but when I attempted to save these
    changes I recieved access denied error. I also tried running it from
    administrative cmd prompt with the options you specified but am getting the
    same results as before.

    - Kurt
     
    Kurt Harriger, Nov 26, 2006
    #6
  7. Manuel Lopez

    Jeff Guest

    Yo Yo Jimmy,
    Thx for the props!!!
    SSShhhhh- I'm a troll, remember?
    LOL
    Hi-btw
    :)

    Jeff
     
    Jeff, Nov 26, 2006
    #7
  8. Manuel Lopez

    Jimmy Brush Guest

    *thumbs up*
    Nonsense! :)
    Howdy :)
     
    Jimmy Brush, Nov 26, 2006
    #8
  9. Manuel Lopez

    Manuel Lopez Guest

    Thank you for the explanation. However, I don't see why if access is
    allowed to the target of a junction, access isn't allowed to the junction (I
    can traverse "c:\users," so why can't I traverse "c:\documents and
    settings," which is a junction to c:\users?).

    On a related point, in trying to move the Documents folder ("Personal" in
    regedit) using the properties option to move it, I noticed that Vista failed
    to update the junction to point to the new location. In correcting that, I
    ended up creating a link rather than a junction, but then corrected it back
    to a junction. However, I don't have the attributes right, I added H and
    S, but Vista seems to use "N" on the junctions under the user's folder--what
    is the "N" attribute and how do I add it to the junction's attributes?
     
    Manuel Lopez, Nov 27, 2006
    #9
  10. Manuel Lopez

    Manuel Lopez Guest

    ok, I realized that Vista probably has "documents and settings" junction for
    backward compatibility for programs hard-coded to look there, and the
    security restriction isn't for security purposes, but to prevent users from
    deleting or renaming it.
     
    Manuel Lopez, Nov 27, 2006
    #10
  11. Manuel Lopez

    Jimmy Brush Guest

    You're right, the security isn't in place for security purposes ... it's
    actually put in place for application compatability purposes.

    That's right ... an app compat hack has an app compat hack :).

    It's fine for programs to traverse OVER an app compat junction - for
    example, accessing c:\documents and settings\username\ works fine. However,
    attempting to do a directory listing on an appcompat junction returns access
    denied.

    This is to prevent programs that do not understand junctions from getting
    confused. Imagine the case where a backup program backs up your hard drive
    and runs over both Documents and Settings and Users - it thinks it is
    accessing 2 different folders, when in fact they are the same.

    Also, some app compat junctions point back into themselves creating a
    recursive situation - some programs probably wouldn't like this very much
    :).
     
    Jimmy Brush, Nov 27, 2006
    #11
  12. Manuel Lopez

    Jimmy Brush Guest

    Vista seems to use "N" on the junctions under the user's folder--what is
    N is the "do not index contents" attribute, it shows up as I using the
    attrib command-line tool.

    This attribute is accessed from Advanced button in the properties screen in
    the attributes section ... clearing the "Index this folder/file for faster
    searching" checkbox sets this attribute.
     
    Jimmy Brush, Nov 27, 2006
    #12
  13. Manuel Lopez

    mayor Guest

    You can, if you so wish, take ownership of C:\documents and settings, but,
    AFAICS nothing is gained by so doing.

    --
    Leo
    If at first you do succeed, try not to look astonished.
     
    mayor, Nov 27, 2006
    #13
  14. Manuel Lopez

    Manuel Lopez Guest

    Thanks. (In my simplicity, I would have used the same letter for the same
    attribute, but there was probably a reason for not doing that.)

    p.s. actually, for junctions, you cannot use the property sheet to make an
    attribute change, only the command line attrib works.
     
    Manuel Lopez, Nov 28, 2006
    #14
  15. Manuel Lopez

    Manuel Lopez Guest

    "N" in explorer seems to be a mistake by Microsoft, that wasn't caught by
    the beta testers. Both the SDK and Microsoft's own attrib.exe command use
    "I" for "not indexed."
    It should be corrected, since "N" was used for normal (meaning no file
    attributes).
     
    Manuel Lopez, Nov 28, 2006
    #15
  16. Not necessarily an accurate assumption. There were many, many things that
    were caught, and bugged, and discussed extensively, by the Vista Beta
    testers, however, it is, after all, MS's program, and the MS development
    and/or prgramming folks decided not to correct or change a lot the bugs,
    many were closed as "Won't fix" So bugs that still exist in Vista are not
    totally the fault of the beta testers, who can only find and report the
    bugs, they can't force MS to do anything about them, or to what extent. :)

    Jan :)
    MS MVP - Windows IE
     
    Jan Ilacqua [MVP], Dec 16, 2006
    #16
  17. Manuel Lopez

    Tech_vs_Life Guest

    good point. at first glance, this doesn't appear to be in one of the
    classes of things that they can't quickly fix (it's not complicated, not an
    old-standing bug, and has no dependencies that fixing would break)
     
    Tech_vs_Life, Dec 16, 2006
    #17
  18. In fairness to the MS folks who were also in the Beta trenches, there were a
    lot of things that the teams were hoping to fix, but, they just ran out of
    time. There came a point where they had to lock the code to prepare for
    RTM. Many fought just as hard as the BT's on some issues, however, they
    were also answering to higher ups. I think we will see some of these things
    corrected in the SP1, as you say, they are the type of things that can be
    corrected without a lot of in-depth code changes. Until then, we will
    either have to work with it, around it, or find some way to get by until the
    SP1. Not exactly the most favorable choice, but, for now, the only ones we
    may have.

    Jan :)
    MS MVP - Windows IE
     
    Jan Ilacqua [MVP], Dec 17, 2006
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.