Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

Topic # 165509 11-Feb-2015 21:29
Send private message

I have my d:\temp directory owned by PC\timmmay, with the administrators group having full control over that directory. The users timmmay and admin are both members of the administrators group. I can't create folders in the d:\temp directory and I can't delete files.

When I add timmmay and admin as explicit permissions I can do whatever I like to the directory.

Can anyone explain why this is? There's obviously something I don't know about windows permissions that's tripping me up.

I have to say I'm about ready to smash the whole thing up with a baseball bat - I've spent days on and off trying to get ownership and permissions in shape across my 5 disks, plus general W10 frustrations. Moving data disks between PCs is always a bit of a PITA but this transition takes the cake, almost certainly because I don't have much theoretical background in this area and in the past I've just left most things pretty open. ReFS and Storage Spaces is working fine but the rest is bl***y annoying.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Create new topic
166 posts

Master Geek
+1 received by user: 30


  Reply # 1236100 11-Feb-2015 22:18
Send private message

I know its obvious but a lot of people get caught by it... have you restarted since changing the permissions?

166 posts

Master Geek
+1 received by user: 30


  Reply # 1236107 11-Feb-2015 22:24
Send private message

Also just to check, you know there is NTFS (security) permissions and share permissions and that you must set security permissions if it is a local user.



14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 1236210 12-Feb-2015 07:05
Send private message

No I don't restart after changing permissions, it's never been necessary and Windows isn't shy about saying "you should restart". When I add the "timmmay" user with full user rights it takes permission immediately.

This is for a local user, so I'm adjusting security not share permissions.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


166 posts

Master Geek
+1 received by user: 30


  Reply # 1236278 12-Feb-2015 09:17
Send private message

Group membership is stored in a security token, which is created at log on. So when you add a useraccount to a group this change is only applied when the user logs on again. (logging off is required when the user is logged on on a certain computer while you make the change and wants to be able to access the resources on the same computer)

When you add a user account by name to a share or folder the colleague with the useraccount doesn't need to log on / log off to gain access.

Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 1236301 12-Feb-2015 09:39
Send private message

some directories in windows have extra protection. c:\windows\* and c:\temp (or d:\temp) too. this is part of the malware protection. you can disable for directories, or all, but its not recommended. Best to create a new folder and share that with correct permissions.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


4991 posts

Uber Geek
+1 received by user: 1324

Trusted
Microsoft

  Reply # 1236305 12-Feb-2015 09:43
Send private message

You don't need to restart for NTFS permission changes.

4991 posts

Uber Geek
+1 received by user: 1324

Trusted
Microsoft

  Reply # 1236307 12-Feb-2015 09:45
Send private message

Can you paste in a screenshot of the permissions UI



14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 1236311 12-Feb-2015 09:50
Send private message

Gozer: Group membership is stored in a security token, which is created at log on. So when you add a useraccount to a group this change is only applied when the user logs on again. (logging off is required when the user is logged on on a certain computer while you make the change and wants to be able to access the resources on the same computer)

When you add a user account by name to a share or folder the colleague with the useraccount doesn't need to log on / log off to gain access.


Interesting. Users were assigned to groups about 10 restarts ago, it's only the file permissions I'm changing now.

Regs: some directories in windows have extra protection. c:\windows\* and c:\temp (or d:\temp) too. this is part of the malware protection. you can disable for directories, or all, but its not recommended. Best to create a new folder and share that with correct permissions.


Why would d:\temp be protected? Is that relevant for this discussion?

nathan: Can you paste in a screenshot of the permissions UI


I could late this evening when I'm home. Should've done it already but I was annoyed at the machine (or at myself, indirectly) so I turned it off and went to bed.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 1236337 12-Feb-2015 10:12
Send private message

I think I see the problem now.  because you added 'full permissions' to the built-in administrators group, you're getting the UAC prompts when navigating folders in "user" mode (as opposed to elevated, or "run-as-administrator" mode).

couple of solutions:
- disable UAC (not recommended)
- create a new group - "User Admins" for example - add timmmay and admin to this group and then grant full permissions to this new group while removing the builtin\admin groups permissions on the directory.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 1236348 12-Feb-2015 10:23
Send private message

That's the conclusion that I came to late last night as well Regs - admins have rights but it has to pop up a dialog box for every action, and that wasn't happening. Your suggestion of a new group for admins is a great workaround.

NTFS permissions aren't as simple as I thought. It's really difficult to even say "take ownership of every file on the disk, and reset permissions to default". A combination of takeown and icacls /reset can do it but the documentation assumes more knowledge of NTFS permissions than I have. It looks like I need to explicitly remove all permissions I don't want, but I have so many random permissions on different parts of each disk that's virtually impossible. I think I'm close enough, but man it's been frustrating.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 1236470 12-Feb-2015 12:18
Send private message

permissions are easy on their own.  the "builtin administrators" + UAC combo makes it more difficult - but its really for your own safety as it goes a long way to preventing malware from messing up your system when you run everything as admin (which is not recommended, btw) :-)




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 1236908 13-Feb-2015 06:10
Send private message

For reference, here are the permissions. I got them mostly using icacls /reset with the last two (in red) added manually in the GUI.

Click to see full size




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.