Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




15235 posts

Uber Geek

Trusted
Subscriber

# 165509 11-Feb-2015 21:29
Send private message

I have my d:\temp directory owned by PC\timmmay, with the administrators group having full control over that directory. The users timmmay and admin are both members of the administrators group. I can't create folders in the d:\temp directory and I can't delete files.

When I add timmmay and admin as explicit permissions I can do whatever I like to the directory.

Can anyone explain why this is? There's obviously something I don't know about windows permissions that's tripping me up.

I have to say I'm about ready to smash the whole thing up with a baseball bat - I've spent days on and off trying to get ownership and permissions in shape across my 5 disks, plus general W10 frustrations. Moving data disks between PCs is always a bit of a PITA but this transition takes the cake, almost certainly because I don't have much theoretical background in this area and in the past I've just left most things pretty open. ReFS and Storage Spaces is working fine but the rest is bl***y annoying.

Create new topic
168 posts

Master Geek


  # 1236100 11-Feb-2015 22:18
Send private message

I know its obvious but a lot of people get caught by it... have you restarted since changing the permissions?

168 posts

Master Geek


  # 1236107 11-Feb-2015 22:24
Send private message

Also just to check, you know there is NTFS (security) permissions and share permissions and that you must set security permissions if it is a local user.

 
 
 
 




15235 posts

Uber Geek

Trusted
Subscriber

  # 1236210 12-Feb-2015 07:05
Send private message

No I don't restart after changing permissions, it's never been necessary and Windows isn't shy about saying "you should restart". When I add the "timmmay" user with full user rights it takes permission immediately.

This is for a local user, so I'm adjusting security not share permissions.

168 posts

Master Geek


  # 1236278 12-Feb-2015 09:17
Send private message

Group membership is stored in a security token, which is created at log on. So when you add a useraccount to a group this change is only applied when the user logs on again. (logging off is required when the user is logged on on a certain computer while you make the change and wants to be able to access the resources on the same computer)

When you add a user account by name to a share or folder the colleague with the useraccount doesn't need to log on / log off to gain access.

Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  # 1236301 12-Feb-2015 09:39
Send private message

some directories in windows have extra protection. c:\windows\* and c:\temp (or d:\temp) too. this is part of the malware protection. you can disable for directories, or all, but its not recommended. Best to create a new folder and share that with correct permissions.




5173 posts

Uber Geek

Trusted
Microsoft

  # 1236305 12-Feb-2015 09:43
Send private message

You don't need to restart for NTFS permission changes.

5173 posts

Uber Geek

Trusted
Microsoft

  # 1236307 12-Feb-2015 09:45
Send private message

Can you paste in a screenshot of the permissions UI

 
 
 
 




15235 posts

Uber Geek

Trusted
Subscriber

  # 1236311 12-Feb-2015 09:50
Send private message

Gozer: Group membership is stored in a security token, which is created at log on. So when you add a useraccount to a group this change is only applied when the user logs on again. (logging off is required when the user is logged on on a certain computer while you make the change and wants to be able to access the resources on the same computer)

When you add a user account by name to a share or folder the colleague with the useraccount doesn't need to log on / log off to gain access.


Interesting. Users were assigned to groups about 10 restarts ago, it's only the file permissions I'm changing now.

Regs: some directories in windows have extra protection. c:\windows\* and c:\temp (or d:\temp) too. this is part of the malware protection. you can disable for directories, or all, but its not recommended. Best to create a new folder and share that with correct permissions.


Why would d:\temp be protected? Is that relevant for this discussion?

nathan: Can you paste in a screenshot of the permissions UI


I could late this evening when I'm home. Should've done it already but I was annoyed at the machine (or at myself, indirectly) so I turned it off and went to bed.

Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  # 1236337 12-Feb-2015 10:12
Send private message

I think I see the problem now.  because you added 'full permissions' to the built-in administrators group, you're getting the UAC prompts when navigating folders in "user" mode (as opposed to elevated, or "run-as-administrator" mode).

couple of solutions:
- disable UAC (not recommended)
- create a new group - "User Admins" for example - add timmmay and admin to this group and then grant full permissions to this new group while removing the builtin\admin groups permissions on the directory.






15235 posts

Uber Geek

Trusted
Subscriber

  # 1236348 12-Feb-2015 10:23
Send private message

That's the conclusion that I came to late last night as well Regs - admins have rights but it has to pop up a dialog box for every action, and that wasn't happening. Your suggestion of a new group for admins is a great workaround.

NTFS permissions aren't as simple as I thought. It's really difficult to even say "take ownership of every file on the disk, and reset permissions to default". A combination of takeown and icacls /reset can do it but the documentation assumes more knowledge of NTFS permissions than I have. It looks like I need to explicitly remove all permissions I don't want, but I have so many random permissions on different parts of each disk that's virtually impossible. I think I'm close enough, but man it's been frustrating.

Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  # 1236470 12-Feb-2015 12:18
Send private message

permissions are easy on their own.  the "builtin administrators" + UAC combo makes it more difficult - but its really for your own safety as it goes a long way to preventing malware from messing up your system when you run everything as admin (which is not recommended, btw) :-)






15235 posts

Uber Geek

Trusted
Subscriber

  # 1236908 13-Feb-2015 06:10
Send private message

For reference, here are the permissions. I got them mostly using icacls /reset with the last two (in red) added manually in the GUI.

Click to see full size

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18


Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11


Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.