User account permissions bugs?

[agent60182204]

I seem to have accounts with unusual statuses. I don't know if it
would be considered a bug that these situations could be reached, or
if they make sense at all. Read on...

Note: I have placed numbers in square brackets after each of my
questions or implied-questions. This will make it easier for you to
respond to particular questions without having to go to the trouble of
quoting sections. Thanks in advance.

=================
I have 2 administrator accounts (Admin1, Admin2) and 2 standard
accounts (User1, User2). The computer runs Vista Premium, and I
haven't installed SP1.

The first issue is being able to access the files of another account.
I understand that, technically. these permissions can be modified to
do whatever you want, but I thought that the defaults were that admins
could access all users' files, while standard users could only access
their own files. [1] My 2 admin accounts can't access files of
User2. If I click on folder C:\Users\User2 , it tells me, "You
don't currently have permission to access this folder. Click Continue
to get access to this folder.".

I know my admin accounts are admin accounts because it lets me elevate
without typing a password. (That's proof, right? [2]) In Admin1, I
decided to double-check my account type, so I opened Control Panel's
"User Accounts". I clicked "Change your account type", elevated
(without needing a password), and surprisingly I am listed as a
Standard User! (There is a radio button checked next to "Standard
User".)

How can that be? How can I be listed as a Standard User if I am an
admin? Is this a bug? [3] I never changed this status. Even if I
could, it should take away my elevation rights...

I might be able to fix this by selecting "Administrator" and changing
the account type, but I want to preserve the evidence until some
people answer.

On my second admin account, I don't have this situation. The account
is listed as an admin in the control panel. But I still can't access
the other accounts in Windows Explorer.

So I checked the user permissions on the folder C:\Users\User2 . It
lists the Administrators group (and User2 and SYSTEM) as having full
control, but does not list Admin2 directly. This should be fine, as
Admin2 should be a member of the Administrators group, right? [4] By
reading help, I found out that I can't manage group membership on
Vista Premium (except by choosing Standard or Administrator).

So this seems to be a second anomaly / bug. [5]

===============
On a related note, the admin accounts do have access to the other
standard account (User1). Here, I will explain why...

The third item I want to mention is not really a bug, but it is a
misleading message that has fairly serious consequences. As I
mentioned above, if I click on folder C:\Users\User2 , it tells me,
"You don't currently have permission to access this folder. Click
Continue to get access to this folder.". If I try this from a
Standard account, I get the same message, but need to elevate with a
password. Now, my impression was that if I "Continue" from the user
account, it will just run Windows Explorer as administrator, and will
thereby get permission -- JUST WHILE THE WINDOW IS OPEN.

But what actually seems to happen is that it changes the permissions
(permanently) on the folder to add the current user as having read
permission !! This is totally unexpected, and the consequence is that
the user will be able to read the other user's account from then on!

(Since, in the past, I have done this from both admin accounts to
access User1, this change was made, and now I have access. Admin1 and
Admin2 are listed as having read permission on User1's folder.)

Side point: It takes a relatively long time (60 seconds) to complete
this operation, so presumably it modifies the permissions of each
individual file and folder. Since permissions are inherited, I would
have thought that only the top-level folder needs to be changed, and
that permissions are calculated on the fly, but I guess not. Maybe
it's faster for each item to have its own permission list. Can anyone
confirm that this is correct? [6]

I guess I can undo this change by deleting the user from the
permissions list. Hopefully, I would only need to do this for the top-
level folder [7]. But I think this is most unintuitive behaviour.

So, I guess my questions are:

- Do you agree that this is unexpected behaviour? Shouldn't it warn
that this change is permanent? [8]

- Why doesn't it just elevate the Explorer session, to get temporary
access? [9]

(For those who are looking for footnotes to correspond to the
bracketed numbers, read the second paragraph. )

Thanks

 

[agent60182204]

To anticipate one question: You might ask why I would be concerned
if, when a user tries to access an admin's files, gets an elevation
prompt, enters the admin password and continues, the user then has
permanent access. If the user knows the admin password, then it's an
unimportant difference whether the elevation has to be done each time,
you might say.

Well, I was thinking more of a situation of an admin sitting down at
the user's computer (to help with some problem), then wanting to
access his own files, he elevates. When he leaves, the user has
permanent read-access to his files.

 

[Jimmy Brush]

Hello,

1. That's correct.

2. That's correct.

3. Sounds like a bug.

4. Yes, permissions for the 'Administrators' group applies to all members
of that group. However, programs that are not running with admin rights
(like Explorer) don't recognize your administrator group membership for
allow permissions (but they do for deny ones).

5. You might be able to edit group memberships from the legacy Windows XP
user accounts control panel:

- click start
- type: control userpasswords2
- press enter

pre-6. This "Click here to get access to this folder" prompt does not
start explorer with admin privileges (as one might reasonably expect).
Instead, it does what you have observed, gives your user account read access
using ntfs permissions (another unfortunate decision - assuming read access
is OK for all scenarios).

6. Conceptually, the permission was only set at the folder level.
However, due to the way security permissions are implemented, the change
must be propagated down to the children. If there were files inside that
folder that did not inherit permissions from the parent, then those files
security permissions would not be changed.

7. Correct.

8. I am confident this will be addressed in the next version of Windows.

9. Explorer doesn't play nice with elevation.


- JB

I seem to have accounts with unusual statuses. I don't know if it
would be considered a bug that these situations could be reached, or
if they make sense at all. Read on...

Note: I have placed numbers in square brackets after each of my
questions or implied-questions. This will make it easier for you to
respond to particular questions without having to go to the trouble of
quoting sections. Thanks in advance.

=================
I have 2 administrator accounts (Admin1, Admin2) and 2 standard
accounts (User1, User2). The computer runs Vista Premium, and I
haven't installed SP1.

The first issue is being able to access the files of another account.
I understand that, technically. these permissions can be modified to
do whatever you want, but I thought that the defaults were that admins
could access all users' files, while standard users could only access
their own files. [1] My 2 admin accounts can't access files of
User2. If I click on folder C:\Users\User2 , it tells me, "You
don't currently have permission to access this folder. Click Continue
to get access to this folder.".

I know my admin accounts are admin accounts because it lets me elevate
without typing a password. (That's proof, right? [2]) In Admin1, I
decided to double-check my account type, so I opened Control Panel's
"User Accounts". I clicked "Change your account type", elevated
(without needing a password), and surprisingly I am listed as a
Standard User! (There is a radio button checked next to "Standard
User".)

How can that be? How can I be listed as a Standard User if I am an
admin? Is this a bug? [3] I never changed this status. Even if I
could, it should take away my elevation rights...

I might be able to fix this by selecting "Administrator" and changing
the account type, but I want to preserve the evidence until some
people answer.

On my second admin account, I don't have this situation. The account
is listed as an admin in the control panel. But I still can't access
the other accounts in Windows Explorer.

So I checked the user permissions on the folder C:\Users\User2 . It
lists the Administrators group (and User2 and SYSTEM) as having full
control, but does not list Admin2 directly. This should be fine, as
Admin2 should be a member of the Administrators group, right? [4] By
reading help, I found out that I can't manage group membership on
Vista Premium (except by choosing Standard or Administrator).

So this seems to be a second anomaly / bug. [5]

===============
On a related note, the admin accounts do have access to the other
standard account (User1). Here, I will explain why...

The third item I want to mention is not really a bug, but it is a
misleading message that has fairly serious consequences. As I
mentioned above, if I click on folder C:\Users\User2 , it tells me,
"You don't currently have permission to access this folder. Click
Continue to get access to this folder.". If I try this from a
Standard account, I get the same message, but need to elevate with a
password. Now, my impression was that if I "Continue" from the user
account, it will just run Windows Explorer as administrator, and will
thereby get permission -- JUST WHILE THE WINDOW IS OPEN.

But what actually seems to happen is that it changes the permissions
(permanently) on the folder to add the current user as having read
permission !! This is totally unexpected, and the consequence is that
the user will be able to read the other user's account from then on!

(Since, in the past, I have done this from both admin accounts to
access User1, this change was made, and now I have access. Admin1 and
Admin2 are listed as having read permission on User1's folder.)

Side point: It takes a relatively long time (60 seconds) to complete
this operation, so presumably it modifies the permissions of each
individual file and folder. Since permissions are inherited, I would
have thought that only the top-level folder needs to be changed, and
that permissions are calculated on the fly, but I guess not. Maybe
it's faster for each item to have its own permission list. Can anyone
confirm that this is correct? [6]

I guess I can undo this change by deleting the user from the
permissions list. Hopefully, I would only need to do this for the top-
level folder [7]. But I think this is most unintuitive behaviour.

So, I guess my questions are:

- Do you agree that this is unexpected behaviour? Shouldn't it warn
that this change is permanent? [8]

- Why doesn't it just elevate the Explorer session, to get temporary
access? [9]

(For those who are looking for footnotes to correspond to the
bracketed numbers, read the second paragraph. )

Thanks

 

[Jimmy Brush]

I agree completely. I was very disappointed when explorer did not support an
'admin mode'.

- JB

 

[agent60182204]

Thanks for all the answers. I wonder if someone can explain WHY the
situation is the way it is. I'll quote answers #4 and #9 :

4. Yes, permissions for the 'Administrators' group applies to all
members of that group. However, programs that are not running with
admin rights (like Explorer) don't recognize your administrator group
membership for allow permissions (but they do for deny ones).

9. Explorer doesn't play nice with elevation.

Shouldn't any program be able to "run as" another user? Doesn't it
then get a security token or something? So why not Explorer?

The file system is constantly evaluating file permissions. It doesn't
need admin rights to do that. So why wouldn't Explorer recognize
group membership?

I am (somewhat) willing to accept that this is the way it is. I would
just be happier if I could understand why. For example, if it could
be explained that this is very difficult to implement properly, or
that it would be a security risk to allow Explorer to have such power,
it would bother me less.

 

[Jimmy Brush]

Everything is indeed running with a security token. In Vista, when you are
logged in as an administrator the token is "split" into two: one that mimics
a standard user token, and another with your full privileges. This is
interesting because both access tokens are for the same principal (your
admin account).

The standard-user token is set to ignore your membership in the
administrators group, except for deny permissions.

This is done to implement UAC: Programs that do not need admin privileges
should not have them, even if the user is an administrator.

Since explorer is running with the standard user token, it cannot use your
administrator group membership.

If explorer played nice with elevation, it would be a simple matter to just
run it as administrator to do what you need.

However, it does not. One reason is due to Explorer's architecture: By
default, it runs only a single executable, regardless of however many
explorer windows are open. I hope that there are good technical reasons that
caused Microsoft to not support the elevation of Explorer, because it is a
very sorely missed feature.

- JB