Undocumented file permissions????

[lew]

What undocumented file permissions are hidden in winxp w/sp1??

I installed winxp pro w/sp1 over winxp home w/sp1; the install
said it will delete os in windows directory.

There is a folder/directory I called "download" for downloaded files
which have *some* files that are inaccessible to the administrator
saying that the administrator don't have permissions to do anything
with the files; why it is only for some files, .exe & .zip, is very
disturbing.

The attributes have been checked & the only attribute set is the
archive bit. I've checked the local policies & don't see anything
that applies; it does look like all folders have the "read-only"
attribute set, I guess it is to provide some protection against
accidental deletion.

So, why are some non-system files cannot be accessed by the administrator?
The other puzzling thing is that I cannot even rename the file BUT I
can delete the inaccessible files. I can and did a download of the same
file & *overwrote* the existing inaccessible files!!!

I've seen questions by posters about inaccessible filles by the
administrator but never saw the answer, if any.

Feature added so tech support to make jokes about users?

 

[Rick \Nutcase\ Rogers]

Hi,

You need to take ownership of the files from the previous installation.
Right-click the folder, select properties. Go to the security tab and click
advanced. You can take control of the folders on the owner tab. For the
security tab to appear in a WinXP Pro system, you must disable simple file
sharing in the control panel/folder options/view tab. For a WinXP Home
system, you must restart in safe mode and logon as administrator. More
details here:

HOW TO: Take Ownership of a File or Folder in Windows XP [Q308421]
http://support.microsoft.com/?kbid=308421

An additional note for WinXP Pro users: This procedure will not help you
recover data if the files are encrypted. All you will be able to do is
delete them. To recover encrypted files you will need the original
encryption certificate or a Recovery Agent from the installation under which
they were encrypted. Without one of these, the files are not recoverable.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Mike Kolitz]

NTFS Permissions:
http://www.windowsitlibrary.com/Content/592/1.html?Ad=1
http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx
http://www.pcguide.com/ref/hdd/file/ntfs/sec-c.html

 

[lew]

Hi,

You need to take ownership of the files from the previous installation.
Right-click the folder, select properties. Go to the security tab and click
advanced. You can take control of the folders on the owner tab. For the
security tab to appear in a WinXP Pro system, you must disable simple file
sharing in the control panel/folder options/view tab. For a WinXP Home
system, you must restart in safe mode and logon as administrator. More
details here:

HOW TO: Take Ownership of a File or Folder in Windows XP [Q308421]
http://support.microsoft.com/?kbid=308421

Thanks will check it out... Still think an Administrator should be able
to what he wants to the file; if not then an Administrator DO NOT have
full direct control of the system.

 

[Mike Kolitz]

Thanks will check it out... Still think an Administrator should be able

to what he wants to the file; if not then an Administrator DO NOT have
full direct control of the system.

Sure they do. An administrator can take ownership of any system object, so
they can gain control if they need it. If they don't, there's nothing wrong
with the administrator not having access to it.

--
Mike Kolitz MCSE 2000
MS-MVP - Windows Setup / Deployment

Hi,

You need to take ownership of the files from the previous installation.
Right-click the folder, select properties. Go to the security tab and
click
advanced. You can take control of the folders on the owner tab. For the
security tab to appear in a WinXP Pro system, you must disable simple
file
sharing in the control panel/folder options/view tab. For a WinXP Home
system, you must restart in safe mode and logon as administrator. More
details here:

HOW TO: Take Ownership of a File or Folder in Windows XP [Q308421]
http://support.microsoft.com/?kbid=308421

Thanks will check it out... Still think an Administrator should be able
to what he wants to the file; if not then an Administrator DO NOT have
full direct control of the system.

An additional note for WinXP Pro users: This procedure will not help you
recover data if the files are encrypted. All you will be able to do is
delete them. To recover encrypted files you will need the original
encryption certificate or a Recovery Agent from the installation under
which
they were encrypted. Without one of these, the files are not recoverable.

 

[lew]

Hi,

You need to take ownership of the files from the previous installation.
Right-click the folder, select properties. Go to the security tab and click
advanced. You can take control of the folders on the owner tab. For the
security tab to appear in a WinXP Pro system, you must disable simple file
sharing in the control panel/folder options/view tab. For a WinXP Home
system, you must restart in safe mode and logon as administrator. More
details here:

HOW TO: Take Ownership of a File or Folder in Windows XP [Q308421]
http://support.microsoft.com/?kbid=308421

Have checked out the info as well as the other 3 references regarding
ntfs permissions.....obvious conclusion:

microsoft made a HUGE BUG with ntfs permissions

Nowhere in any of the docs state why the *ADMINISTRATOR* cannot have
full control of a folder or file; the Administrator is being treated
like just another user when it comes to permissions, sometimes, as
in the Administrator must go elsewhere to change sharing permissions
prior to taking ownship of the file.

 

[Rick \Nutcase\ Rogers]

Hi,

If the file was created under a different installation, the security ID's
will not match the existing one - taking ownership is how the issue is
resolved. An administrator would automatically have access to any file
created within the existing installation (unless they were removed by
another user of that level, but they can always be regained).

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

Hi,

You need to take ownership of the files from the previous installation.
Right-click the folder, select properties. Go to the security tab and
click
advanced. You can take control of the folders on the owner tab. For the
security tab to appear in a WinXP Pro system, you must disable simple
file
sharing in the control panel/folder options/view tab. For a WinXP Home
system, you must restart in safe mode and logon as administrator. More
details here:

HOW TO: Take Ownership of a File or Folder in Windows XP [Q308421]
http://support.microsoft.com/?kbid=308421

Thanks will check it out... Still think an Administrator should be able
to what he wants to the file; if not then an Administrator DO NOT have
full direct control of the system.

An additional note for WinXP Pro users: This procedure will not help you
recover data if the files are encrypted. All you will be able to do is
delete them. To recover encrypted files you will need the original
encryption certificate or a Recovery Agent from the installation under
which
they were encrypted. Without one of these, the files are not recoverable.

 

[Mike Kolitz]

Ok. No.

It's not a bug. It's by design, and it's a good design.

The administrator *is* just another user, except it has the ability to
exercise excessive permissions if necessary. "If necessary" being the
operative statement.

There's absolutely no valid reason why the Administrator should
automatically be owner of everything. If necessary, the Administrator can
take ownership - that's all they need. That's how it works; that's how it
should work.

More on permissions and ownership:
http://www.pcguide.com/ref/hdd/file/ntfs/secOwn-c.html

--
Mike Kolitz MCSE 2000
MS-MVP - Windows Setup / Deployment

Hi,

You need to take ownership of the files from the previous installation.
Right-click the folder, select properties. Go to the security tab and
click
advanced. You can take control of the folders on the owner tab. For the
security tab to appear in a WinXP Pro system, you must disable simple
file
sharing in the control panel/folder options/view tab. For a WinXP Home
system, you must restart in safe mode and logon as administrator. More
details here:

HOW TO: Take Ownership of a File or Folder in Windows XP [Q308421]
http://support.microsoft.com/?kbid=308421

Have checked out the info as well as the other 3 references regarding
ntfs permissions.....obvious conclusion:

microsoft made a HUGE BUG with ntfs permissions

Nowhere in any of the docs state why the *ADMINISTRATOR* cannot have
full control of a folder or file; the Administrator is being treated
like just another user when it comes to permissions, sometimes, as
in the Administrator must go elsewhere to change sharing permissions
prior to taking ownship of the file.

An additional note for WinXP Pro users: This procedure will not help you
recover data if the files are encrypted. All you will be able to do is
delete them. To recover encrypted files you will need the original
encryption certificate or a Recovery Agent from the installation under
which
they were encrypted. Without one of these, the files are not recoverable.

 

[lew]

Hi,

If the file was created under a different installation, the security ID's
will not match the existing one - taking ownership is how the issue is
resolved. An administrator would automatically have access to any file
created within the existing installation (unless they were removed by
another user of that level, but they can always be regained).

So it looks like if the prior installation was a "different os", then
the problem occurs; if it was a full install (reinstall?) then the problem
doesn't occur!

Looks like I may encounter more gotcha later on; still doesn't explain
why some files of the prior install don't need a change of ownership &
others do need didling.

So just a "full install" over an existing install of a another version of
OS would create problems down the line; and that if a "full install" need
to be "clean" where the partitions are reformatted to bypass problems.

Or just do an upgrade which would really be preferable to a full install
with gotchas or start over from the beginning with a "clean" install if
one has the time to reinstall all apps & data.

I will really need to watch-it when I finally update my motherboard to
the 64-bit kind with the 64-bit windows OS.....

Thanks for the info on this limitations of windows; I didn't have any
problem like this with linux as root really have full control.

 

[lew]

Ok. No.

It's not a bug. It's by design, and it's a good design.

The administrator *is* just another user, except it has the ability to
exercise excessive permissions if necessary. "If necessary" being the
operative statement.

There's absolutely no valid reason why the Administrator should
automatically be owner of everything. If necessary, the Administrator can
take ownership - that's all they need. That's how it works; that's how it
should work.

More on permissions and ownership:
http://www.pcguide.com/ref/hdd/file/ntfs/secOwn-c.html

Ah, the "design" is to let only the owner execute an executable file or
unzipping a zipped file.

I agree the Administrator doesn't need to own anything but then the
Administrator should be able to run an executable to install the
self-installing app or be able to unzip a zipped file for installing the
app which is really a "reinstall" execpt that windows no longer recognizes
that the app was "installed" already previously.

 

[David Candy]

Admins can if they want. type taking ownership in help.

 

[Bruce Chambers]

microsoft made a HUGE BUG with ntfs permissions

Nonsense. Or rather, if there is one, no one's found it. You
certainly haven't.

Nowhere in any of the docs state why the *ADMINISTRATOR* cannot have
full control of a folder or file; the Administrator is being treated
like just another user when it comes to permissions, sometimes, as
in the Administrator must go elsewhere to change sharing permissions
prior to taking ownship of the file.

This is simply common sense. Have you never heard of the concept of
"checks and balances?" The Administrator *has* full control of the
system, but cannot and should not have unfettered and unaudited access
to other peoples' data. The very idea is ludicrous. What business
would want an administrator browsing through confidential payroll
information, for example? By the administrator's having to take
ownership, a an audit trail is left.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[lew]

Nonsense. Or rather, if there is one, no one's found it. You
certainly haven't.



This is simply common sense. Have you never heard of the concept of
"checks and balances?" The Administrator *has* full control of the
system, but cannot and should not have unfettered and unaudited access
to other peoples' data. The very idea is ludicrous. What business
would want an administrator browsing through confidential payroll
information, for example? By the administrator's having to take
ownership, a an audit trail is left.

"Common sense" is much overused as "common sense" is only if the people
involved has the same knowledge, beliefs, experience, environment or etc
regarding a behaviour pattern in specific situations.

Your premise that the Admin shouldn't have business browsing "confidential"
files doesn't address the possible necessity by the company's policies &
ownership of the computers in question. Nor does your premise address
governmental investigations and/or even investigations in lawsuits,
civil & crimminal.

Indeed, it seems preferable, by your beliefs, the Admin should just
reformat the partitions and/or drive to install a new OS, which is also
nonsense as the users' needs must also be met.

And since I'm the owner, user & administrator, I should be able to do
what I want on/to my machine. However, as someone else pointed out,
it was a design decission by ms for whatever reason. Other operating
systems do things differently. There are "administrators" & "Administrators"
where the responsibilities may be quite different.

This is just another design "decission" like the mandatory of the ms
media player "calling home" where the "call home" cannot be disabled
in the preferences.