I notice that when doing a runas to get explorer with elevated privileges, operations such as file copies, new folder, folder/file renames, are not immediately visible until refreshing. Also, which should probably be expected, if an explorer window is open as an elevated account, and another is not, you cannot drag/drop or copy/cut/paste between. Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107
_____ From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, July 15, 2009 2:35 PM To: NT System Admin Issues Subject: RE: UAC--argh... The only difference I can see is that I used windows explorer under my domain admin user when creating the folder, instead of the elevated cmd prompt you have in the first two lines. I have WS08 x64, but my Vista is x86. I noticed there seems to be something with focus and refresh-can't pin it down, but it's almost like I remove my permissions, but since I haven't refreshed the window, it didn't prompt me for UAC where it should have. For example, if I click away and back after removing permissions, I get a UAC prompt and if I continue it adds my user account with read access. But, if I don't, it just comes up and I get the access denied errors. Does UAC prompting disabled make it automatically click through as allowed? From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Wednesday, July 15, 2009 10:46 AM To: NT System Admin Issues Subject: RE: UAC--argh... Yes, Vista SP2 (32-bit) and IE8. I was performing the operation on secondary drive D:, not the OS drive. Complete rundown as follows: Elevated cmd prompt:\> D: D:\> mkdir test D:\> explorer . Properties of D:\test, Security tab Click Advanced, then Edit. Uncheck "include inheritable..." and choose Copy. The listed permission entries include Administrators, SYSTEM, Users, and Authenticated users. I removed Users and Authenticated users. OK'd out of everything. I'm back at my 'explorer .' window. Get Properties of D:\test again, Security tab. Click Edit, then Add. Typed a security group from the domain, check names, OK. Click Apply and OK my way out. No errors. I'll mention for completeness, though I don't think it should make a difference, I have UAC enabled with prompting disabled. No WS08 servers yet. Carl From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, July 15, 2009 1:27 PM To: NT System Admin Issues Subject: RE: UAC--argh... Carl-thanks for trying it. Are your machines at SP2 and IE8 (like ours)? I'm just can't figure out what might be so darn unique about our environment that it might cause something like this. I will probably try turning off AV on one, but I can't think of what else might be interacting. I guess I'm going to try this on my Vista Home computer tonight. From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Wednesday, July 15, 2009 10:22 AM To: NT System Admin Issues Subject: RE: UAC--argh... I should have said "type 'explorer .' at the command prompt. That is what I always do instinctively b/c I want it focused on the directory I've been looking at from the (elevated) command prompt, usually. I just ran your scenario on Vista and didn't have any problems. Carl From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, July 15, 2009 1:09 PM To: NT System Admin Issues Subject: RE: UAC--argh... Yes-If I run cmd as administrator and then run explorer.exe, I still have trouble. That's why I had the question about whether explorer really runs as administrator or whether it is changing with the focus changes. In fact, okay, this is interesting. I run cmd as administrator and just run explorer and navigate to e:\files-I get the UAC prompt when opening the folder. When trying to change permissions, I edit and add someone with read, and get the "access denied". If I run cmd as administrator and then run "explorer e:\files", to open that folder. Now, I can change perms with no errors, and can even navigate around and still have administrator permissions. What the heck? Can anyone confirm if they see the same thing? I get this on both WS08 and Vista, but our machines are all in the same domain and likely have similar policies. -Create a folder while logged on as a domain admin. -Remove inheritable permissions -Remove all accounts except administrators and system full control, and ok out of the security window. -Edit security again and try to add a group or user. When applying, this is where I get access denied. -B From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Wednesday, July 15, 2009 9:49 AM To: NT System Admin Issues Subject: RE: UAC--argh... Or elevate a command prompt, then type "explorer" at the command line and now you have an elevated Explorer. Carl From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] Sent: Wednesday, July 15, 2009 12:46 PM To: NT System Admin Issues Subject: Re: UAC--argh... Have you tried assigning permissions via an elevated command line or powershell? On Wed, Jul 15, 2009 at 12:41 PM, Miller Bonnie L. <mille...@mukilteo.wednet.edu> wrote: So, I've been trying REALLY hard to just get used to UAC with WS08, but now that we have some actual file servers coming online, using windows explorer to assign permissions is driving me absolutely batty. Example: While logged on with a domain admin account on a WS08 SP2 member server, I create a folder on the root of the hard drive (let's call it E:\Files). Then, we remove inherited permissions and strip the list down to administrators and system full, and sometimes add domain admins with full, since that is the group here who can work with user files. Then, we assign the permissions for domain groups who need access. Folder can be shared out with Everyone Full, but the sharing isn't really part of the problem. What I've listed above, which is fine on WS03, never seems to be enough permission for UAC, and I'll get "access denied" errors when trying to apply permissions. If I add my account explicitly (the domain admin I'm logged on as), it then works. But if there is a subfolder (let's say E:\Files\Butterflies) that I'm not added onto, then applying higher level permissions will make it stop and bark about permissions for that subfolder. There can be a lot of subfolders, and it stops on each one. Leaving the "everyone" permissions or creator owner on there when setting up the folder seems to help sometimes, but then you end up with more permissions than we want on something, and with creator owner there seem to be added permissions. Explorer.exe can't be run in "compatability mode" so I can't set it to run elevated, but I find that if I run it as administrator I seem to still have problems-it's almost like each time you change the focus in explorer it re-evaluates your credentials. Do other people have this trouble, and if so, what are you doing to handle this? Here are some options I see: 1) Assign explicit permissions for administrative accounts on all files and folders-yikes! Would this work with a domain group, as long as it's not domain admins (or something else in administrators)? 2) Log on with THE local administrator account when we need to work on permissions. (Yuk, getting prompted for domain credentials every time we need to browse the domain to add a group. Also bad having multiple admins logging on the same account all the time). 3) Suck it up and wait for R2, because they've made this "better" somehow? 4) When creating a folder, leave permissions at the "default". Add groups that need access, and restrict the share-level permissions to just those groups (another yuk, especially since we are really getting away from sharing out every folder). 5) Something else? I was reading up on UAC on technet (http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx), but I'm not sure if I could gain or lose anything by doing something like disabling admin approval mode or changing the elevation prompt for administrators. I'm concerned that this might really negate the security benefit of having UAC in the first place on a server. 6) Turn off UAC-honestly, I really don't want to do this unless there is no other option. -Bonnie _____ If this email is spam, report it here: http://www.OnlyMyEmail.com/ReportSpam <http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6OTMwNjA2MjYwO nBqcEBwc25ldC5jb20%3D> THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
