All geek questions in one place

Permissions for Windows Server 2008 R2 Files

I'm having trouble understanding the behavior of certain files. Here are the steps to play:

  • Log in to the server using the default administrator account

  • Create a text file (testfile.txt) in C: \ ProgramData containing some arbitrary text

  • Create a new user account and make it a member of the Administrators group

  • Log in using your new account and open C: \ ProgramData \ testfile.txt

  • Edit the text and try to save

After clicking the Save Im button, a save dialog is displayed in the form that indicates that I do not have the necessary rights to edit the file. This seems strange given that the new user account is a member of the Administrators.

When I look at the file permissions, I see that there are three groups in the list: System, Administrators, and Users. System and administrators have full permissions, however, users only have read and execute checks and read checks.

It seems that when I open the testfile.txt file from a new user account, it opens in the context of the Users group, despite the fact that it is a member of the Administrators group, is that correct? This certainly explains the behavior.

The reason this is a problem for me is because if I distribute the application through "Run as administrator", ordinary users will be able to edit the text files that I install in ProgramData.

Is this behavior a limited Windows server or is it the same in Vista and Win7.

+4
source share
3 answers

This is caused by UAC because admin groups are special, but the reason you can access a file without a UAC prompt is because you have an explicit ACL for the file system object that grants you access without using the built-in groups administrator.

You probably own the file, and an ACL for Creator Owner : Full Control will (by default) exist. As an owner, you should also see an explicit ACL for your account, for example. DOMAIN\Fly_Trap : Full Control

+1
source

I just tested on Windows 7 and I can write files to ProgramData without any problems. You can check if you have a UAC problem by launching the elevated notepad (right-click on the Start menu and Run as administrator). If a superscript can write a file, then the application in which you plan to use "Run as administrator" will also be capable. If a superscript can not write it, then raising your application will not help.

0
source

ive tested it on windows 2008 r2. the way it should be. it is called uac. You have created a regular user and want to edit (even with the local administrator group) a file owned by the administrator. you cannot do this, but you can provide administrative privileges and edit this file.

Read more http://en.wikipedia.org/wiki/User_Account_Control

0
source

Source: https://habr.com/ru/post/1312865/

More articles:


All Articles