Best practice: traversal of all folders.

I want to have full control access to all files and folders, using my
administrator account (or rather the "admin-lite" account vista seems to set
up by default). However, using that admin-lite account, I don't get an
elevation prompt when trying to navigate through the Documents and Settings
folder (for example). I just get "Access is denied."

I'm not familiar with how UAC is working. Is this default account, which
Vista calls an administrator account, really an administrator account? (It
doesn't look that way, since Documents and Settings gives full control to
the administrators group, but I am unable to traverse it.) Do I solve it by
having the admin-lite account take ownership, or explicitly give it full
control, apart from the adminstrators group? or is that not recommended?
(If there's a good website explaining this, please post the url.) Thanks.

"Manuel Lopez" <limited@newsgroups.nospam> wrote in message
news:ewZ6FwMEHHA.3524@TK2MSFTNGP06.phx.gbl...
>I want to have full control access to all files and folders, using my
>administrator account (or rather the "admin-lite" account vista seems to
>set up by default). However, using that admin-lite account, I don't get an
>elevation prompt when trying to navigate through the Documents and Settings
>folder (for example). I just get "Access is denied."
>
> I'm not familiar with how UAC is working. Is this default account, which
> Vista calls an administrator account, really an administrator account?
> (It doesn't look that way, since Documents and Settings gives full control
> to the administrators group, but I am unable to traverse it.) Do I solve
> it by having the admin-lite account take ownership, or explicitly give it
> full control, apart from the adminstrators group? or is that not
> recommended? (If there's a good website explaining this, please post the
> url.) Thanks.
>
>

The admin-lite account or psuedo-admin as I like to call it, is not a member
of the administrators group until an explicit elvation has been performed.
A psuedo-admin recieves two user security tokens a standard token and an
administrator token, the standard token is always used unless administrator
privilages have been requested when requested vista displays the
confirmation dialog and only then allows use of the administrative token.
Windows Exporer however cannot be run as administrator and never requests
admin permissions for file management activities and therefore never
receives an administrator token, as a result windows explorer is never a
member of the administrators group. You can use other applications such as
cmd shell by right clicking and run as administrator, but if you want to use
windows explorer you must add your user account to the ACL, which
effectively grants your standard user token permission access to the files
without administrative privilages.

HTH

- Kurt

>
>
>

The documents and settings" folder"; is not like it seems.It's not a folder.
It's not at all like xp, in fact; any "folder" that you see with an arrow
like a shortcut; is actually a junction.
Not a folder at all; but a way to migrate stuff from xp to the actual
folders that Vista uses.
Anything like My documents, My pics,My whatever; isn't a folder at all.Looks
like one; but it's not.
And you will get access denied; admin or not, because they aren't folders.
They are junctions.
Ya might want to post this in Vista file management; and Jimmy B in
particular; is thoroughly versed in these junctions
He's great with Vista file and permissions

Jeff

"Manuel Lopez" <limited@newsgroups.nospam> wrote in message
news:ewZ6FwMEHHA.3524@TK2MSFTNGP06.phx.gbl...
>I want to have full control access to all files and folders, using my
>administrator account (or rather the "admin-lite" account vista seems to
>set up by default). However, using that admin-lite account, I don't get an
>elevation prompt when trying to navigate through the Documents and Settings
>folder (for example). I just get "Access is denied."
>
> I'm not familiar with how UAC is working. Is this default account, which
> Vista calls an administrator account, really an administrator account?
> (It doesn't look that way, since Documents and Settings gives full control
> to the administrators group, but I am unable to traverse it.) Do I solve
> it by having the admin-lite account take ownership, or explicitly give it
> full control, apart from the adminstrators group? or is that not
> recommended? (If there's a good website explaining this, please post the
> url.) Thanks.
>
>
>
>
>

> Windows Exporer however cannot be run as administrator and never requests
> admin permissions for file management activities and therefore never
> receives an administrator token, as a result windows explorer is never a
> member of the administrators group.

This statement is incorrect. You can put a shortcut in the Quick Launch
Tray to Windows Explorer and then change it to run as administrator. I
would only use this shortcut when you know you are doing admin tasks and not
routine user operations. I like the following options on the Windows
Explorer command line: /e,/n,c:\, assuming that C:\ is the location of your
OS install. I also have a cmd.exe shortcut in the Quick Launch Tray that is
also admin with the following option: "-k cd \" as this one will put you in
the root directory and not system32.

UAC is not that hard. As software is updated to work with Vista more and
more will properly segregate their tasks that require admin access to
properly manifested programs that will automatically ask for those
permissions. You will still get the UAC prompt, but you will know that
something you did requires admin access. If that is a surprise to you, you
should not grant it permission. This type of security is very old. It
dates from the Unix world of 25 years ago. Linux does this all the time.
It has taken 25 years for Microsoft to implement something with security.

"Kurt Harriger" <kurtharriger@comcast.net> wrote in message
news:BDE3759A-9405-4EA4-99E2-A2583F49320A@microsoft.com...
>
>
> "Manuel Lopez" <limited@newsgroups.nospam> wrote in message
> news:ewZ6FwMEHHA.3524@TK2MSFTNGP06.phx.gbl...
>>I want to have full control access to all files and folders, using my
>>administrator account (or rather the "admin-lite" account vista seems to
>>set up by default). However, using that admin-lite account, I don't get
>>an elevation prompt when trying to navigate through the Documents and
>>Settings folder (for example). I just get "Access is denied."
>>
>> I'm not familiar with how UAC is working. Is this default account, which
>> Vista calls an administrator account, really an administrator account?
>> (It doesn't look that way, since Documents and Settings gives full
>> control to the administrators group, but I am unable to traverse it.) Do
>> I solve it by having the admin-lite account take ownership, or explicitly
>> give it full control, apart from the adminstrators group? or is that not
>> recommended? (If there's a good website explaining this, please post the
>> url.) Thanks.
>>
>>
>
> The admin-lite account or psuedo-admin as I like to call it, is not a
> member of the administrators group until an explicit elvation has been
> performed. A psuedo-admin recieves two user security tokens a standard
> token and an administrator token, the standard token is always used unless
> administrator privilages have been requested when requested vista displays
> the confirmation dialog and only then allows use of the administrative
> token. Windows Exporer however cannot be run as administrator and never
> requests admin permissions for file management activities and therefore
> never receives an administrator token, as a result windows explorer is
> never a member of the administrators group. You can use other
> applications such as cmd shell by right clicking and run as administrator,
> but if you want to use windows explorer you must add your user account to
> the ACL, which effectively grants your standard user token permission
> access to the files without administrative privilages.
>
> HTH
>
> - Kurt
>
>>
>>
>>
>

Hello,

As Jeff pointed out, the reason access is denied to Documents and Settings
is because it is a junction - basically a pointer to the Users folder, which
replaces Documents and Settings in Vista. There are very good reasons why
this security restriction was put in place, and unfortunately Explorer
doesn't help you out very much in this regard.

You should not change the security on these junctions. You will need to
learn and use the new Windows Vista locations instead.

As Kurt pointed out, admin accounts are basically split right down the
middle. All applications run as if they were a standard user - they can only
use admin powers when they request the power from you via a UAC prompt.

Here's how file operations work in Explorer using this "admin-lite" mode.

You can do anything that your username explicitly has permission to do. If
you try to do something that you cannot explicitly do, there are a few
things that may happen:

1) You are browsing into a folder that you don't have access to

Windows will ask you if you want to "elevate" to full admin power and then
give yourself explicit permission to access the folder. This changes
security on the folder/files within that folder to allow you read access. If
not even the "full admin" power is enough to change the security on the
folder, you will not be able to access it. This could be the case if the
administrators group does not have permission to change the folder. In this
case, you would have to take ownership of the folder and possibly child
folders/files first and then try to access the folder.

2) You are doing a folder/file operation that the administrators group has
permission to do, but you do not

Windows Explorer will tell you that the operation is restricted and that you
need admin privileges to complete the operation. You will then go thru a UAC
dialog and use your "full admin" power to complete the operation. The "full
admin" power is only good on that one specific operation, and does not apply
to any further operations.

3) You are doing a folder/file operation that the administrators group DOES
NOT have permission to do

You will receive an access denied error - neither you explicitly nor the
administrators group have permission. You will need to change the
permissions on the file/folder manually to give either yourself or the
administrators group permission. You may need to take ownership of the
file/folder in order to do this.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

I had actually tried to run windows explorer as administrator by right
clicking on widnows explorer in start->accessories, Vista prompts for admin
credentials and opens a new window but when I tried to access the folder I
previously created with all acls except administrators removed I recieved
another prompt. The edit security button no longer had a shield icon and
allowed me to make some ACL changes but when I attempted to save these
changes I recieved access denied error. I also tried running it from
administrative cmd prompt with the options you specified but am getting the
same results as before.

- Kurt

"David J. Craig" <Dave@yoshimuni.com> wrote in message
news:%23nmCC%23OEHHA.1224@TK2MSFTNGP04.phx.gbl...
>> Windows Exporer however cannot be run as administrator and never requests
>> admin permissions for file management activities and therefore never
>> receives an administrator token, as a result windows explorer is never a
>> member of the administrators group.
>
> This statement is incorrect. You can put a shortcut in the Quick Launch
> Tray to Windows Explorer and then change it to run as administrator. I
> would only use this shortcut when you know you are doing admin tasks and
> not routine user operations. I like the following options on the Windows
> Explorer command line: /e,/n,c:\, assuming that C:\ is the location of
> your OS install. I also have a cmd.exe shortcut in the Quick Launch Tray
> that is also admin with the following option: "-k cd \" as this one will
> put you in the root directory and not system32.
>
> UAC is not that hard. As software is updated to work with Vista more and
> more will properly segregate their tasks that require admin access to
> properly manifested programs that will automatically ask for those
> permissions. You will still get the UAC prompt, but you will know that
> something you did requires admin access. If that is a surprise to you,
> you should not grant it permission. This type of security is very old.
> It dates from the Unix world of 25 years ago. Linux does this all the
> time. It has taken 25 years for Microsoft to implement something with
> security.
>
> "Kurt Harriger" <kurtharriger@comcast.net> wrote in message
> news:BDE3759A-9405-4EA4-99E2-A2583F49320A@microsoft.com...
>>
>>
>> "Manuel Lopez" <limited@newsgroups.nospam> wrote in message
>> news:ewZ6FwMEHHA.3524@TK2MSFTNGP06.phx.gbl...
>>>I want to have full control access to all files and folders, using my
>>>administrator account (or rather the "admin-lite" account vista seems to
>>>set up by default). However, using that admin-lite account, I don't get
>>>an elevation prompt when trying to navigate through the Documents and
>>>Settings folder (for example). I just get "Access is denied."
>>>
>>> I'm not familiar with how UAC is working. Is this default account,
>>> which Vista calls an administrator account, really an administrator
>>> account? (It doesn't look that way, since Documents and Settings gives
>>> full control to the administrators group, but I am unable to traverse
>>> it.) Do I solve it by having the admin-lite account take ownership, or
>>> explicitly give it full control, apart from the adminstrators group? or
>>> is that not recommended? (If there's a good website explaining this,
>>> please post the url.) Thanks.
>>>
>>>
>>
>> The admin-lite account or psuedo-admin as I like to call it, is not a
>> member of the administrators group until an explicit elvation has been
>> performed. A psuedo-admin recieves two user security tokens a standard
>> token and an administrator token, the standard token is always used
>> unless administrator privilages have been requested when requested vista
>> displays the confirmation dialog and only then allows use of the
>> administrative token. Windows Exporer however cannot be run as
>> administrator and never requests admin permissions for file management
>> activities and therefore never receives an administrator token, as a
>> result windows explorer is never a member of the administrators group.
>> You can use other applications such as cmd shell by right clicking and
>> run as administrator, but if you want to use windows explorer you must
>> add your user account to the ACL, which effectively grants your standard
>> user token permission access to the files without administrative
>> privilages.
>>
>> HTH
>>
>> - Kurt
>>
>>>
>>>
>>>
>>
>
>

Yo Yo Jimmy,
Thx for the props!!!
SSShhhhh- I'm a troll, remember?
LOL
Hi-btw
:-)

Jeff

"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:F3A4D9D1-F5A8-4DF8-9AED-1A247F89F9DC@microsoft.com...
> Hello,
>
> As Jeff pointed out, the reason access is denied to Documents and Settings
> is because it is a junction - basically a pointer to the Users folder,
> which replaces Documents and Settings in Vista. There are very good
> reasons why this security restriction was put in place, and unfortunately
> Explorer doesn't help you out very much in this regard.
>
> You should not change the security on these junctions. You will need to
> learn and use the new Windows Vista locations instead.
>
> As Kurt pointed out, admin accounts are basically split right down the
> middle. All applications run as if they were a standard user - they can
> only use admin powers when they request the power from you via a UAC
> prompt.
>
> Here's how file operations work in Explorer using this "admin-lite" mode.
>
> You can do anything that your username explicitly has permission to do. If
> you try to do something that you cannot explicitly do, there are a few
> things that may happen:
>
> 1) You are browsing into a folder that you don't have access to
>
> Windows will ask you if you want to "elevate" to full admin power and then
> give yourself explicit permission to access the folder. This changes
> security on the folder/files within that folder to allow you read access.
> If not even the "full admin" power is enough to change the security on the
> folder, you will not be able to access it. This could be the case if the
> administrators group does not have permission to change the folder. In
> this case, you would have to take ownership of the folder and possibly
> child folders/files first and then try to access the folder.
>
> 2) You are doing a folder/file operation that the administrators group has
> permission to do, but you do not
>
> Windows Explorer will tell you that the operation is restricted and that
> you need admin privileges to complete the operation. You will then go thru
> a UAC dialog and use your "full admin" power to complete the operation.
> The "full admin" power is only good on that one specific operation, and
> does not apply to any further operations.
>
> 3) You are doing a folder/file operation that the administrators group
> DOES NOT have permission to do
>
> You will receive an access denied error - neither you explicitly nor the
> administrators group have permission. You will need to change the
> permissions on the file/folder manually to give either yourself or the
> administrators group permission. You may need to take ownership of the
> file/folder in order to do this.
>
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/

<snip>
> Thx for the props!!!

*thumbs up*

> SSShhhhh- I'm a troll, remember?

Nonsense!

> LOL
> Hi-btw

Howdy


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

Thank you for the explanation. However, I don't see why if access is
allowed to the target of a junction, access isn't allowed to the junction (I
can traverse "c:\users," so why can't I traverse "c:\documents and
settings," which is a junction to c:\users?).

On a related point, in trying to move the Documents folder ("Personal" in
regedit) using the properties option to move it, I noticed that Vista failed
to update the junction to point to the new location. In correcting that, I
ended up creating a link rather than a junction, but then corrected it back
to a junction. However, I don't have the attributes right, I added H and
S, but Vista seems to use "N" on the junctions under the user's folder--what
is the "N" attribute and how do I add it to the junction's attributes?


"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:F3A4D9D1-F5A8-4DF8-9AED-1A247F89F9DC@microsoft.com...
> Hello,
>
> As Jeff pointed out, the reason access is denied to Documents and Settings
> is because it is a junction - basically a pointer to the Users folder,
> which replaces Documents and Settings in Vista. There are very good
> reasons why this security restriction was put in place, and unfortunately
> Explorer doesn't help you out very much in this regard.
>
> You should not change the security on these junctions. You will need to
> learn and use the new Windows Vista locations instead.
>
> As Kurt pointed out, admin accounts are basically split right down the
> middle. All applications run as if they were a standard user - they can
> only use admin powers when they request the power from you via a UAC
> prompt.
>
> Here's how file operations work in Explorer using this "admin-lite" mode.
>
> You can do anything that your username explicitly has permission to do. If
> you try to do something that you cannot explicitly do, there are a few
> things that may happen:
>
> 1) You are browsing into a folder that you don't have access to
>
> Windows will ask you if you want to "elevate" to full admin power and then
> give yourself explicit permission to access the folder. This changes
> security on the folder/files within that folder to allow you read access.
> If not even the "full admin" power is enough to change the security on the
> folder, you will not be able to access it. This could be the case if the
> administrators group does not have permission to change the folder. In
> this case, you would have to take ownership of the folder and possibly
> child folders/files first and then try to access the folder.
>
> 2) You are doing a folder/file operation that the administrators group has
> permission to do, but you do not
>
> Windows Explorer will tell you that the operation is restricted and that
> you need admin privileges to complete the operation. You will then go thru
> a UAC dialog and use your "full admin" power to complete the operation.
> The "full admin" power is only good on that one specific operation, and
> does not apply to any further operations.
>
> 3) You are doing a folder/file operation that the administrators group
> DOES NOT have permission to do
>
> You will receive an access denied error - neither you explicitly nor the
> administrators group have permission. You will need to change the
> permissions on the file/folder manually to give either yourself or the
> administrators group permission. You may need to take ownership of the
> file/folder in order to do this.
>
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/

ok, I realized that Vista probably has "documents and settings" junction for
backward compatibility for programs hard-coded to look there, and the
security restriction isn't for security purposes, but to prevent users from
deleting or renaming it.