Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Permissions set to Administrators group but members can't access f

microsoft.public.windows.vista.administration accounts passwords






Speedup My PC
Reply
  #1 (permalink)  
Old 10-31-2007
ventech
 

Posts: n/a
Permissions set to Administrators group but members can't access f
I am setting up Vista Enterprise and have files and folders that any member
of the Administrators group needs access to when they login and want to load
some as part of the logon script. The file/folder permissions are set to
Administrators but when members of that group login, only the user that
created the files has access unless they do a runas administrator. So the
files fail to load at logon.

If I create a group called something other than administrators and assign
that group to the files or folder, everything works as expected.

From my web searches on this problem, this appears to be a normal part of
UAC behavior, though I noticed in one posting there is a
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\system\LocalAccountTokenFilterPolicy
registry key that changes the token filtering behavior when accessing from
the network.

Does anyone know of any registry or group policy settings to change UAC
behavior to allow any user of the Administrators group to access files that
have their permissions set to Administrators? I really don't want to have to
create and maintain an extra group if it can be avoided.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 11-03-2007
P. Di Stolfo
 

Posts: n/a
Re: Permissions set to Administrators group but members can't access f
Hello,

is there another user group set for permissions on that folder, such as
"Users"? If yes, it is possible that the Users permissions override the
Administrators', since they're users, too.

Greetings,
P. Di Stolfo
--
////////////////////////////
http://blog.lysorp.com - Small Windows blog in German language
///////////////////////////

"ventech" <ventech@discussions.microsoft.com> schrieb im Newsbeitrag
news:763EA274-7D03-487C-9284-C372F07A792D@microsoft.com...
>I am setting up Vista Enterprise and have files and folders that any member
> of the Administrators group needs access to when they login and want to
> load
> some as part of the logon script. The file/folder permissions are set to
> Administrators but when members of that group login, only the user that
> created the files has access unless they do a runas administrator. So the
> files fail to load at logon.
>
> If I create a group called something other than administrators and assign
> that group to the files or folder, everything works as expected.
>
> From my web searches on this problem, this appears to be a normal part of
> UAC behavior, though I noticed in one posting there is a
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\system\LocalAccountTokenFilterPolicy
> registry key that changes the token filtering behavior when accessing from
> the network.
>
> Does anyone know of any registry or group policy settings to change UAC
> behavior to allow any user of the Administrators group to access files
> that
> have their permissions set to Administrators? I really don't want to have
> to
> create and maintain an extra group if it can be avoided.


Reply With Quote
  #3 (permalink)  
Old 11-12-2007
Jimmy Brush
 

Posts: n/a
Re: Permissions set to Administrators group but members can't access f
In Vista, the Administrators group is only recognized for "allow"
permissions when the program doing the accessing is running elevated. Deny
permissions are always considered.

So, in order for an admin to have the access that is granted to them as
members of the administrators group, the program that is accessing the file
must be elevated.

The best solution is to have another group. Otherwise, you can cripple or
disable UAC.


--
- JB
Microsoft MVP Windows Shell/User

"ventech" <ventech@discussions.microsoft.com> wrote in message
news:763EA274-7D03-487C-9284-C372F07A792D@microsoft.com...
>I am setting up Vista Enterprise and have files and folders that any member
> of the Administrators group needs access to when they login and want to
> load
> some as part of the logon script. The file/folder permissions are set to
> Administrators but when members of that group login, only the user that
> created the files has access unless they do a runas administrator. So the
> files fail to load at logon.
>
> If I create a group called something other than administrators and assign
> that group to the files or folder, everything works as expected.
>
> From my web searches on this problem, this appears to be a normal part of
> UAC behavior, though I noticed in one posting there is a
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\system\LocalAccountTokenFilterPolicy
> registry key that changes the token filtering behavior when accessing from
> the network.
>
> Does anyone know of any registry or group policy settings to change UAC
> behavior to allow any user of the Administrators group to access files
> that
> have their permissions set to Administrators? I really don't want to have
> to
> create and maintain an extra group if it can be avoided.


Reply With Quote
  #4 (permalink)  
Old 11-12-2007
ventech
 

Posts: n/a
Re: Permissions set to Administrators group but members can't acce
Thanks for the suggestion but in this case, only Administators have
permissions on the folders so the rights of another group would not be the
problem.

"P. Di Stolfo" wrote:

> Hello,
>
> is there another user group set for permissions on that folder, such as
> "Users"? If yes, it is possible that the Users permissions override the
> Administrators', since they're users, too.
>
> Greetings,
> P. Di Stolfo
> --
> ////////////////////////////
> http://blog.lysorp.com - Small Windows blog in German language
> ///////////////////////////
>
> "ventech" <ventech@discussions.microsoft.com> schrieb im Newsbeitrag
> news:763EA274-7D03-487C-9284-C372F07A792D@microsoft.com...
> >I am setting up Vista Enterprise and have files and folders that any member
> > of the Administrators group needs access to when they login and want to
> > load
> > some as part of the logon script. The file/folder permissions are set to
> > Administrators but when members of that group login, only the user that
> > created the files has access unless they do a runas administrator. So the
> > files fail to load at logon.
> >
> > If I create a group called something other than administrators and assign
> > that group to the files or folder, everything works as expected.
> >
> > From my web searches on this problem, this appears to be a normal part of
> > UAC behavior, though I noticed in one posting there is a
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\system\LocalAccountTokenFilterPolicy
> > registry key that changes the token filtering behavior when accessing from
> > the network.
> >
> > Does anyone know of any registry or group policy settings to change UAC
> > behavior to allow any user of the Administrators group to access files
> > that
> > have their permissions set to Administrators? I really don't want to have
> > to
> > create and maintain an extra group if it can be avoided.

>
>

Reply With Quote
  #5 (permalink)  
Old 11-12-2007
ventech
 

Posts: n/a
Re: Permissions set to Administrators group but members can't acce
I suspected this might be the case, but had hoped there might be a more
elegant solution than my work around. Perhaps Microsoft will add something
in the future. Thanks for the feedback.

ventech

"Jimmy Brush" wrote:

> In Vista, the Administrators group is only recognized for "allow"
> permissions when the program doing the accessing is running elevated. Deny
> permissions are always considered.
>
> So, in order for an admin to have the access that is granted to them as
> members of the administrators group, the program that is accessing the file
> must be elevated.
>
> The best solution is to have another group. Otherwise, you can cripple or
> disable UAC.
>
>
> --
> - JB
> Microsoft MVP Windows Shell/User
>
> "ventech" <ventech@discussions.microsoft.com> wrote in message
> news:763EA274-7D03-487C-9284-C372F07A792D@microsoft.com...
> >I am setting up Vista Enterprise and have files and folders that any member
> > of the Administrators group needs access to when they login and want to
> > load
> > some as part of the logon script. The file/folder permissions are set to
> > Administrators but when members of that group login, only the user that
> > created the files has access unless they do a runas administrator. So the
> > files fail to load at logon.
> >
> > If I create a group called something other than administrators and assign
> > that group to the files or folder, everything works as expected.
> >
> > From my web searches on this problem, this appears to be a normal part of
> > UAC behavior, though I noticed in one posting there is a
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\system\LocalAccountTokenFilterPolicy
> > registry key that changes the token filtering behavior when accessing from
> > the network.
> >
> > Does anyone know of any registry or group policy settings to change UAC
> > behavior to allow any user of the Administrators group to access files
> > that
> > have their permissions set to Administrators? I really don't want to have
> > to
> > create and maintain an extra group if it can be avoided.

>

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Vista no enabled user in administrators group?? Steve microsoft.public.windows.vista.security 4 12-12-2007 21:20
Editing group permissions Blue Max microsoft.public.windows.vista.administration accounts passwords 0 10-19-2007 16:06
Can't select members for group JB microsoft.public.windows.vista.mail 2 06-12-2007 23:36
Contact Group: Cannot Select Members =?Utf-8?B?RnJhbms=?= microsoft.public.windows.vista.mail 1 03-08-2007 16:06
Identifying group members =?Utf-8?B?QmlsbCBC?= microsoft.public.windows.vista.mail 0 02-19-2007 01:25




All times are GMT +1. The time now is 10:52.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120