Server 2008 - UAC - Windows Explorer - Cannot Run with Elevated Privileges

-

we have been struggling unexpected “access denied” error messages in windows explorer on windows server 2008. have understanding @ point of going on, , wanted provide feedback, since issue otherwise not extensively documented.

 

our confusion arose unexpected behavior of windows explorer in connection user account control (uac). apparently windows explorer process started automatically when user first logs on. default in windows server 2008, built-in administrator account, windows explorer runs elevated privileges. other members of local administrators group, including domain admins other built-in administrator account, windows explorer runs without elevated privileges.

 

on of our servers, have data volumes root permissions set full control administrators , system, no access normal users. logged on domain admin account not built-in administrator, getting “access denied” on these drives, despite attempting open windows explorer “run administrator.” apparently not possible using windows gui run windows explorer elevated privileges when not have them @ outset.

 

the confusion arises because windows gui allows right-click on windows explorer icon , select “run administrator.” expect, uac secure desktop prompt continue. when click continue, new windows explorer window opens, but despite this, windows explorer doesn’t have elevated privileges.  apparently because windows explorer process running in background, having been launched during logon process without elevated privileges. “run administrator” in case doesn’t create new windows explorer process -- causes existing 1 open new window.

 

this problem call attention of windows developers. contrary human interface design practices applications behave in opaque, “magical” ways such have described. either user interface should disallow “run administrator” windows explorer, or better yet should cause windows explorer run elevated privileges when appears doing so.

 

i haven’t found in way of documentation this. there workaround suggested tpaling on january 16, 2009 in  forum post “how install .net assembly gac on windows server 2008” @ http://social.msdn.microsoft.com/forums/en-us/netfxsetup/thread/1c3ab849-84a0-4eb7-8c3b-b01fbca825a3/. can open command prompt elevated privileges , execute command “explorer <path>”. here new windows explorer process running elevated privileges , displaying <path>. in window can right-click on folder icon , choose open, , folder in turn displayed in windows explorer window elevated privileges. 1 caveat tpaling doesn’t mention once open windows explorer window without elevated privileges, using either gui or non-elevated command prompt, workaround no longer work until log off , on again. should go without saying situation real mess.

 

obviously workaround use built-in administrator account whenever windows explorer needed. on other hand, defeats security benefits of uac.

 

i hope information helpful other users have run problem, , windows developers address it.

if others have additional insights or workarounds, grateful hear of them.

hi,

before go further, explain happens when administrator logs on.

when administrator logs on, user granted 2 access tokens: full administrator access token , "filtered" standard user access token. default, when member of local administrators group logs on, administrative windows privileges disabled , elevated user rights removed, resulting in standard user access token. standard user access token used launch desktop (explorer.exe). explorer.exe parent process other user-initiated processes inherit access token. result, applications run standard user default unless user provides consent or credentials approve application use full administrative access token. contrasting process, when standard user logs on, standard user access token created. standard user access token used launch desktop.

a user member of administrators group can log in, browse web, , read e-mail while using standard user access token. when administrator needs perform task requires administrator access token, windows vista automatically prompts user approval. prompt called elevation prompt, , behavior can configured in security policy editor (secpol.msc) snap-in , group policy. information how adjust uac group policy settings, see "configuring uac settings" section within document.


the behavior of built-in administrator controlled gpo.

user account control: admin approval mode built-in administrator account
this setting determines whether uac applied default built-in administrator account.

for more uac policies, please refer " configuring uac settings" of following article.

understanding , configuring user account control in windows vista
http://technet.microsoft.com/en-us/library/cc709628.aspx

please check gpo settings accordingly.

thanks.

this posting provided "as is" no warranties, , confers no rights.


Windows Server  >  Windows Server General Forum



Comments

Post a Comment

Popular posts from this blog

for loop and start-job from cmd.exe

-
hello, i have simple script developed debug purposes: $serverlist = @( "sca-c1cor01", "scb-c1cor01" ) ($i=0; $i -lt $serverlist.length; $i++) { start-job -scriptblock {$x=0} } i have saved script off file called test.ps1.  when run ./test.ps1 within interactive powershell runs fine.  i trying to call script dos window, sql server agent command job, or start->run line.  here syntax using: cmd.exe /c powershell -nologo -noninteractive "c:\scripts\powershell\test.ps1" when run way (from dos window), diaglog box pops says: powershell has stopped working  problem caused program stop working correctly.  windows close program , notify if solution available. i close , open eventvwr.msc.  2 pieces of info.  1 application , services log (windows powershell): engine state changed available stopped. details:  newenginestate=stopped  previousenginestate...
Read more

adam.Events.xml could not enumerate

-
i warning in windows server 2012. because of ad not talk dns. what cause of , how can rectify it? thanks hi, please refer below explanation: windows server 2012 - server manager troubleshooting guide, part ii: troubleshoot manageability status errors in server manager http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx regards, cicely Windows Server  >  Directory Services
Read more