Best practice: traversal of all folders.

[Manuel Lopez]

I want to have full control access to all files and folders, using my
administrator account (or rather the "admin-lite" account vista seems to set
up by default). However, using that admin-lite account, I don't get an
elevation prompt when trying to navigate through the Documents and Settings
folder (for example). I just get "Access is denied."

I'm not familiar with how UAC is working. Is this default account, which
Vista calls an administrator account, really an administrator account? (It
doesn't look that way, since Documents and Settings gives full control to
the administrators group, but I am unable to traverse it.) Do I solve it by
having the admin-lite account take ownership, or explicitly give it full
control, apart from the adminstrators group? or is that not recommended?
(If there's a good website explaining this, please post the url.) Thanks.

 

[Kurt Harriger]

I want to have full control access to all files and folders, using my
administrator account (or rather the "admin-lite" account vista seems to
set up by default). However, using that admin-lite account, I don't get an
elevation prompt when trying to navigate through the Documents and Settings
folder (for example). I just get "Access is denied."

I'm not familiar with how UAC is working. Is this default account, which
Vista calls an administrator account, really an administrator account?
(It doesn't look that way, since Documents and Settings gives full control
to the administrators group, but I am unable to traverse it.) Do I solve
it by having the admin-lite account take ownership, or explicitly give it
full control, apart from the adminstrators group? or is that not
recommended? (If there's a good website explaining this, please post the
url.) Thanks.

The admin-lite account or psuedo-admin as I like to call it, is not a member
of the administrators group until an explicit elvation has been performed.
A psuedo-admin recieves two user security tokens a standard token and an
administrator token, the standard token is always used unless administrator
privilages have been requested when requested vista displays the
confirmation dialog and only then allows use of the administrative token.
Windows Exporer however cannot be run as administrator and never requests
admin permissions for file management activities and therefore never
receives an administrator token, as a result windows explorer is never a
member of the administrators group. You can use other applications such as
cmd shell by right clicking and run as administrator, but if you want to use
windows explorer you must add your user account to the ACL, which
effectively grants your standard user token permission access to the files
without administrative privilages.

HTH

- Kurt

 

[Jeff]

The documents and settings" folder"; is not like it seems.It's not a folder.
It's not at all like xp, in fact; any "folder" that you see with an arrow
like a shortcut; is actually a junction.
Not a folder at all; but a way to migrate stuff from xp to the actual
folders that Vista uses.
Anything like My documents, My pics,My whatever; isn't a folder at all.Looks
like one; but it's not.
And you will get access denied; admin or not, because they aren't folders.
They are junctions.
Ya might want to post this in Vista file management; and Jimmy B in
particular; is thoroughly versed in these junctions
He's great with Vista file and permissions

Jeff

 

[David J. Craig]

Windows Exporer however cannot be run as administrator and never requests

admin permissions for file management activities and therefore never
receives an administrator token, as a result windows explorer is never a
member of the administrators group.

This statement is incorrect. You can put a shortcut in the Quick Launch
Tray to Windows Explorer and then change it to run as administrator. I
would only use this shortcut when you know you are doing admin tasks and not
routine user operations. I like the following options on the Windows
Explorer command line: /e,/n,c:\, assuming that C:\ is the location of your
OS install. I also have a cmd.exe shortcut in the Quick Launch Tray that is
also admin with the following option: "-k cd \" as this one will put you in
the root directory and not system32.

UAC is not that hard. As software is updated to work with Vista more and
more will properly segregate their tasks that require admin access to
properly manifested programs that will automatically ask for those
permissions. You will still get the UAC prompt, but you will know that
something you did requires admin access. If that is a surprise to you, you
should not grant it permission. This type of security is very old. It
dates from the Unix world of 25 years ago. Linux does this all the time.
It has taken 25 years for Microsoft to implement something with security.

 

[Jimmy Brush]

Hello,

As Jeff pointed out, the reason access is denied to Documents and Settings
is because it is a junction - basically a pointer to the Users folder, which
replaces Documents and Settings in Vista. There are very good reasons why
this security restriction was put in place, and unfortunately Explorer
doesn't help you out very much in this regard.

You should not change the security on these junctions. You will need to
learn and use the new Windows Vista locations instead.

As Kurt pointed out, admin accounts are basically split right down the
middle. All applications run as if they were a standard user - they can only
use admin powers when they request the power from you via a UAC prompt.

Here's how file operations work in Explorer using this "admin-lite" mode.

You can do anything that your username explicitly has permission to do. If
you try to do something that you cannot explicitly do, there are a few
things that may happen:

1) You are browsing into a folder that you don't have access to

Windows will ask you if you want to "elevate" to full admin power and then
give yourself explicit permission to access the folder. This changes
security on the folder/files within that folder to allow you read access. If
not even the "full admin" power is enough to change the security on the
folder, you will not be able to access it. This could be the case if the
administrators group does not have permission to change the folder. In this
case, you would have to take ownership of the folder and possibly child
folders/files first and then try to access the folder.

2) You are doing a folder/file operation that the administrators group has
permission to do, but you do not

Windows Explorer will tell you that the operation is restricted and that you
need admin privileges to complete the operation. You will then go thru a UAC
dialog and use your "full admin" power to complete the operation. The "full
admin" power is only good on that one specific operation, and does not apply
to any further operations.

3) You are doing a folder/file operation that the administrators group DOES
NOT have permission to do

You will receive an access denied error - neither you explicitly nor the
administrators group have permission. You will need to change the
permissions on the file/folder manually to give either yourself or the
administrators group permission. You may need to take ownership of the
file/folder in order to do this.

 

[Kurt Harriger]

I had actually tried to run windows explorer as administrator by right
clicking on widnows explorer in start->accessories, Vista prompts for admin
credentials and opens a new window but when I tried to access the folder I
previously created with all acls except administrators removed I recieved
another prompt. The edit security button no longer had a shield icon and
allowed me to make some ACL changes but when I attempted to save these
changes I recieved access denied error. I also tried running it from
administrative cmd prompt with the options you specified but am getting the
same results as before.

- Kurt

 

[Jeff]

Yo Yo Jimmy,
Thx for the props!!!
SSShhhhh- I'm a troll, remember?
LOL
Hi-btw


Jeff

 

[Jimmy Brush]

Thx for the props!!!

*thumbs up*

SSShhhhh- I'm a troll, remember?

Nonsense!

LOL
Hi-btw

Howdy

 

[Manuel Lopez]

Thank you for the explanation. However, I don't see why if access is
allowed to the target of a junction, access isn't allowed to the junction (I
can traverse "c:\users," so why can't I traverse "c:\documents and
settings," which is a junction to c:\users?).

On a related point, in trying to move the Documents folder ("Personal" in
regedit) using the properties option to move it, I noticed that Vista failed
to update the junction to point to the new location. In correcting that, I
ended up creating a link rather than a junction, but then corrected it back
to a junction. However, I don't have the attributes right, I added H and
S, but Vista seems to use "N" on the junctions under the user's folder--what
is the "N" attribute and how do I add it to the junction's attributes?

 

[Manuel Lopez]

ok, I realized that Vista probably has "documents and settings" junction for
backward compatibility for programs hard-coded to look there, and the
security restriction isn't for security purposes, but to prevent users from
deleting or renaming it.

 

[Jimmy Brush]

You're right, the security isn't in place for security purposes ... it's
actually put in place for application compatability purposes.

That's right ... an app compat hack has an app compat hack .

It's fine for programs to traverse OVER an app compat junction - for
example, accessing c:\documents and settings\username\ works fine. However,
attempting to do a directory listing on an appcompat junction returns access
denied.

This is to prevent programs that do not understand junctions from getting
confused. Imagine the case where a backup program backs up your hard drive
and runs over both Documents and Settings and Users - it thinks it is
accessing 2 different folders, when in fact they are the same.

Also, some app compat junctions point back into themselves creating a
recursive situation - some programs probably wouldn't like this very much
.

 

[Jimmy Brush]

Vista seems to use "N" on the junctions under the user's folder--what is

the "N" attribute and how do I add it to the junction's attributes?

N is the "do not index contents" attribute, it shows up as I using the
attrib command-line tool.

This attribute is accessed from Advanced button in the properties screen in
the attributes section ... clearing the "Index this folder/file for faster
searching" checkbox sets this attribute.

 

[mayor]

You can, if you so wish, take ownership of C:\documents and settings, but,
AFAICS nothing is gained by so doing.

--
Leo
If at first you do succeed, try not to look astonished.

 

[Manuel Lopez]

Thanks. (In my simplicity, I would have used the same letter for the same
attribute, but there was probably a reason for not doing that.)

p.s. actually, for junctions, you cannot use the property sheet to make an
attribute change, only the command line attrib works.

 

[Manuel Lopez]

"N" in explorer seems to be a mistake by Microsoft, that wasn't caught by
the beta testers. Both the SDK and Microsoft's own attrib.exe command use
"I" for "not indexed."
It should be corrected, since "N" was used for normal (meaning no file
attributes).

 

[Jan Ilacqua [MVP]]

"N" in explorer seems to be a mistake by Microsoft, that wasn't caught by
the beta testers.

Not necessarily an accurate assumption. There were many, many things that
were caught, and bugged, and discussed extensively, by the Vista Beta
testers, however, it is, after all, MS's program, and the MS development
and/or prgramming folks decided not to correct or change a lot the bugs,
many were closed as "Won't fix" So bugs that still exist in Vista are not
totally the fault of the beta testers, who can only find and report the
bugs, they can't force MS to do anything about them, or to what extent.

Jan
MS MVP - Windows IE

 

[Tech_vs_Life]

good point. at first glance, this doesn't appear to be in one of the
classes of things that they can't quickly fix (it's not complicated, not an
old-standing bug, and has no dependencies that fixing would break)

 

[Jan Ilacqua [MVP]]

In fairness to the MS folks who were also in the Beta trenches, there were a
lot of things that the teams were hoping to fix, but, they just ran out of
time. There came a point where they had to lock the code to prepare for
RTM. Many fought just as hard as the BT's on some issues, however, they
were also answering to higher ups. I think we will see some of these things
corrected in the SP1, as you say, they are the type of things that can be
corrected without a lot of in-depth code changes. Until then, we will
either have to work with it, around it, or find some way to get by until the
SP1. Not exactly the most favorable choice, but, for now, the only ones we
may have.

Jan
MS MVP - Windows IE