I don't deny that. However clear feedback from the OS assists the administrator. And the user.
The elevation/access hierarchy (aka UIPI) is almost completely internal, with only mechanisms like icacls for inspecting the relationship between credential and object/action, unlike the object permission mechanism with clearly defined and exposed ACL's. You almost have to have 3rd party tools like AccessChk from SysInternals to see what's going on with permissions. With both mechanisms generically reporting access/permissions errors, I don't think it's too much to ask for clear error feedback. Ya know..even for us lazy admins who want to manage things Win3.1 style. -sc From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Wednesday, July 15, 2009 1:07 PM To: NT System Admin Issues Subject: Re: UAC--argh... We, as administrators, need to get more in tune with the OS again. This is not like the days of NT 4 and Win 98. I blew hours last week because I forgot something as simple as what Carl just said. Jon On Wed, Jul 15, 2009 at 12:59 PM, Steven M. Caesare <scaes...@caesare.com> wrote: MS really needs to more clearly separate object permissions errors from errors generated as a result of lack of elevation, IMO. -sc From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Wednesday, July 15, 2009 12:49 PM To: NT System Admin Issues Subject: RE: UAC--argh... Or elevate a command prompt, then type "explorer" at the command line and now you have an elevated Explorer. Carl From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] Sent: Wednesday, July 15, 2009 12:46 PM To: NT System Admin Issues Subject: Re: UAC--argh... Have you tried assigning permissions via an elevated command line or powershell? On Wed, Jul 15, 2009 at 12:41 PM, Miller Bonnie L. <mille...@mukilteo.wednet.edu> wrote: So, I've been trying REALLY hard to just get used to UAC with WS08, but now that we have some actual file servers coming online, using windows explorer to assign permissions is driving me absolutely batty. Example: While logged on with a domain admin account on a WS08 SP2 member server, I create a folder on the root of the hard drive (let's call it E:\Files). Then, we remove inherited permissions and strip the list down to administrators and system full, and sometimes add domain admins with full, since that is the group here who can work with user files. Then, we assign the permissions for domain groups who need access. Folder can be shared out with Everyone Full, but the sharing isn't really part of the problem. What I've listed above, which is fine on WS03, never seems to be enough permission for UAC, and I'll get "access denied" errors when trying to apply permissions. If I add my account explicitly (the domain admin I'm logged on as), it then works. But if there is a subfolder (let's say E:\Files\Butterflies) that I'm not added onto, then applying higher level permissions will make it stop and bark about permissions for that subfolder. There can be a lot of subfolders, and it stops on each one. Leaving the "everyone" permissions or creator owner on there when setting up the folder seems to help sometimes, but then you end up with more permissions than we want on something, and with creator owner there seem to be added permissions. Explorer.exe can't be run in "compatability mode" so I can't set it to run elevated, but I find that if I run it as administrator I seem to still have problems-it's almost like each time you change the focus in explorer it re-evaluates your credentials. Do other people have this trouble, and if so, what are you doing to handle this? Here are some options I see: 1) Assign explicit permissions for administrative accounts on all files and folders-yikes! Would this work with a domain group, as long as it's not domain admins (or something else in administrators)? 2) Log on with THE local administrator account when we need to work on permissions. (Yuk, getting prompted for domain credentials every time we need to browse the domain to add a group. Also bad having multiple admins logging on the same account all the time). 3) Suck it up and wait for R2, because they've made this "better" somehow? 4) When creating a folder, leave permissions at the "default". Add groups that need access, and restrict the share-level permissions to just those groups (another yuk, especially since we are really getting away from sharing out every folder). 5) Something else? I was reading up on UAC on technet (http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx), but I'm not sure if I could gain or lose anything by doing something like disabling admin approval mode or changing the elevation prompt for administrators. I'm concerned that this might really negate the security benefit of having UAC in the first place on a server. 6) Turn off UAC-honestly, I really don't want to do this unless there is no other option. -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
