Windows 10 permissions question - administrators group and admin users

Forums › Microsoft Windows › Windows 10 permissions question - administrators group and admin users

timmmay

20587 posts

Uber Geek

Trusted

Lifetime subscriber

#165509 11-Feb-2015 21:29

I have my d:\temp directory owned by PC\timmmay, with the administrators group having full control over that directory. The users timmmay and admin are both members of the administrators group. I can't create folders in the d:\temp directory and I can't delete files.

When I add timmmay and admin as explicit permissions I can do whatever I like to the directory.

Can anyone explain why this is? There's obviously something I don't know about windows permissions that's tripping me up.

I have to say I'm about ready to smash the whole thing up with a baseball bat - I've spent days on and off trying to get ownership and permissions in shape across my 5 disks, plus general W10 frustrations. Moving data disks between PCs is always a bit of a PITA but this transition takes the cake, almost certainly because I don't have much theoretical background in this area and in the past I've just left most things pretty open. ReFS and Storage Spaces is working fine but the rest is bl***y annoying.

Gozer

184 posts

Master Geek

#1236100 11-Feb-2015 22:18

I know its obvious but a lot of people get caught by it... have you restarted since changing the permissions?

Gozer

184 posts

Master Geek

#1236107 11-Feb-2015 22:24

Also just to check, you know there is NTFS (security) permissions and share permissions and that you must set security permissions if it is a local user.

timmmay

20587 posts

Uber Geek

Trusted

Lifetime subscriber

#1236210 12-Feb-2015 07:05

No I don't restart after changing permissions, it's never been necessary and Windows isn't shy about saying "you should restart". When I add the "timmmay" user with full user rights it takes permission immediately.

This is for a local user, so I'm adjusting security not share permissions.

Gozer

184 posts

Master Geek

#1236278 12-Feb-2015 09:17

Group membership is stored in a security token, which is created at log on. So when you add a useraccount to a group this change is only applied when the user logs on again. (logging off is required when the user is logged on on a certain computer while you make the change and wants to be able to access the resources on the same computer)

When you add a user account by name to a share or folder the colleague with the useraccount doesn't need to log on / log off to gain access.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#1236301 12-Feb-2015 09:39

some directories in windows have extra protection. c:\windows\* and c:\temp (or d:\temp) too. this is part of the malware protection. you can disable for directories, or all, but its not recommended. Best to create a new folder and share that with correct permissions.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

nathan

5695 posts

Uber Geek
Inactive user

#1236305 12-Feb-2015 09:43

You don't need to restart for NTFS permission changes.

nathan

5695 posts

Uber Geek
Inactive user

#1236307 12-Feb-2015 09:45

Can you paste in a screenshot of the permissions UI

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

timmmay

20587 posts

Uber Geek

Trusted

Lifetime subscriber

#1236311 12-Feb-2015 09:50

Gozer: Group membership is stored in a security token, which is created at log on. So when you add a useraccount to a group this change is only applied when the user logs on again. (logging off is required when the user is logged on on a certain computer while you make the change and wants to be able to access the resources on the same computer)

When you add a user account by name to a share or folder the colleague with the useraccount doesn't need to log on / log off to gain access.

Interesting. Users were assigned to groups about 10 restarts ago, it's only the file permissions I'm changing now.

Regs: some directories in windows have extra protection. c:\windows\* and c:\temp (or d:\temp) too. this is part of the malware protection. you can disable for directories, or all, but its not recommended. Best to create a new folder and share that with correct permissions.

Why would d:\temp be protected? Is that relevant for this discussion?

nathan: Can you paste in a screenshot of the permissions UI

I could late this evening when I'm home. Should've done it already but I was annoyed at the machine (or at myself, indirectly) so I turned it off and went to bed.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#1236337 12-Feb-2015 10:12

I think I see the problem now. because you added 'full permissions' to the built-in administrators group, you're getting the UAC prompts when navigating folders in "user" mode (as opposed to elevated, or "run-as-administrator" mode).

couple of solutions:
- disable UAC (not recommended)
- create a new group - "User Admins" for example - add timmmay and admin to this group and then grant full permissions to this new group while removing the builtin\admin groups permissions on the directory.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

timmmay

20587 posts

Uber Geek

Trusted

Lifetime subscriber

#1236348 12-Feb-2015 10:23

That's the conclusion that I came to late last night as well Regs - admins have rights but it has to pop up a dialog box for every action, and that wasn't happening. Your suggestion of a new group for admins is a great workaround.

NTFS permissions aren't as simple as I thought. It's really difficult to even say "take ownership of every file on the disk, and reset permissions to default". A combination of takeown and icacls /reset can do it but the documentation assumes more knowledge of NTFS permissions than I have. It looks like I need to explicitly remove all permissions I don't want, but I have so many random permissions on different parts of each disk that's virtually impossible. I think I'm close enough, but man it's been frustrating.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#1236470 12-Feb-2015 12:18

permissions are easy on their own. the "builtin administrators" + UAC combo makes it more difficult - but its really for your own safety as it goes a long way to preventing malware from messing up your system when you run everything as admin (which is not recommended, btw) :-)

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

timmmay

20587 posts

Uber Geek

Trusted

Lifetime subscriber

#1236908 13-Feb-2015 06:10

For reference, here are the permissions. I got them mostly using icacls /reset with the last two (in red) added manually in the GUI.