NTFS Permissions Confusion


  1. Posts : 80
    Windows 10 Pro 64-Bit 21H1
       #1

    NTFS Permissions Confusion


    I clearly do not understand NTFS permissions. Can someone please help eliminate my confusion.

    When I am signed in to RAVEN\Clayton (local, standard account) and I check Properties->Security on D:\Users\Clayton\Utilities, I find:

    NTFS Permissions Confusion-q1.png

    To me this indicates that SYSTEM, RAVEN\Administrators, and RAVEN\Clayton (Owner) have Full Control. Clicking Advanced and looking at Effective Access for RAVEN\Admin (local, administrators account):

    NTFS Permissions Confusion-q2.png

    To me this indicates RAVEN\Admin (a member of RAVEN\Administrators) has Full Control on D:\Users\Clayton\Utilities. All this makes sense to me.

    However, if I sign in as RAVEN\Admin and click on D:\Users\Clayton, I find:

    NTFS Permissions Confusion-q3.png

    If I try to look at Properties on D:\Users\Clayton, I get:

    NTFS Permissions Confusion-q4.png

    I simply do not understand this. If RAVEN\Administrators has Full Control on D:\Users\Clayton and all its children, then why does RAVEN\Admin (a member of RAVEN\Administrators) get permission errors? Makes zero sense to me.
      My Computer


  2. Posts : 49
    Windows 10 Pro
       #2

    How exactly are you logged in as admin?
    Anyways do the same steps but through an elevated command prompt? same errors?

    I personally only studied this part very briefly and it was boring that i didn't pay too much attention to it. If I need to I will review my notes to look into it further but hopefully someone more knowledge will help you out :)
      My Computer


  3. Posts : 234
    Windows 10 Pro (x64)
       #3

    Your screen shots the permission is set on a sub folder in your user folder. That doesn't mean those same permissions are on the root folder. However, with UAC active an administrator account doesn't have administrative power until they invoke that action with a UAC prompt.
      My Computer


  4. Posts : 187
    Windows 10 Pro
       #4

    This Admin account, is it one that you made yourself? Because on my Windows 10 system, there is no account Admin.
    And if you made this account, check if it is a member of the Administrators group.

    Administrators is a group account. Any user account that is recognized as an administrator, gets its permissions set by this group policy, but only when the account has been elevated to use administrator rights. "Run as Administrator" is one of those things that elevates your account. Every other user, even users that are recognized as administrators, are logged in as normal users. Administrator rights can only be given when you run things as an administrator.
      My Computer


  5. Posts : 1,249
    Windows 10 Pro
       #5

    Actually this makes a great deal of sense.

    With UAC enabled (the default condition with Vista and later) an admin level account does not always have full admin rights. Normally it has only the rights of a standard account which are more limited. That is why you are receiving the error message. Only on request do you have full admin rights.

    This is a security measure. For security reasons it is best to be logged in with a standard account use and use an admin account only when needed. If while using an admin level account and you accidentally run malicious code (very difficult to fully avoid) that code will have your rights and be able to do pretty much anything it wants. That is bad. But if you are using a standard account that malicious code will have very limited scope. That is good.

    UAC is just a more convenient way to run with a standard account for normal use with full admin rights only when needed.

    Edit: Any modern operating system is a lot more complicated than is at first apparent. At first there will be things that seem to make no sense. But when you understand why it all makes sense. Unfortunately reaching that level of understanding is often difficult. That is a price of modern technology.
      My Computer


  6. Posts : 80
    Windows 10 Pro 64-Bit 21H1
    Thread Starter
       #6

    OK, let me try to clarify. I may be fooling myself, but I believe I understand the difference between the Built-In Administrator account and an account belonging to the Administrators group. An Administrators account IS NOT the Administrator account. An Administrators account can elevate via UAC (Run as administrator) to gain the Administrator account security token.

    I am beginning to wonder if this issue is specific to File Explorer (explorer.exe). Signed in as raven\admin, I can open an administrator command prompt and can read C:\Users\Clayton and any of its children:

    NTFS Permissions Confusion-q5.png

    However, even using runas to ensure that File Explorer has an elevated security token, when I try to access C:\Users\Clayton I still get an error:

    NTFS Permissions Confusion-q3.png

    Does this mean that File Explorer simply can not be run with an elevated security token and that permissions must be managed from an administrator command prompt only?
      My Computer


  7. Posts : 5,478
    2004
       #7

    Well, yes. If "Clayton" wants access to that directory (through file explorer) s/he must click on "Continue" to use the Administrator rights to access it and in doing so change the access rights.

    Alternatively you could right click on the folder and change the permissions (and/or owner) directly or (as you have seen) use a command prompt running under Admin which bypasses the whole thing.
      My Computer


  8. Posts : 1,249
    Windows 10 Pro
       #8

    The explorer.exe process isn't just used for Windows Explorer. It starts when the user logs in and is always running controlling user interaction with the desktop and more. With default configuration using the runas command to run explorer.exe simply opens a new explorer window with the same explorer.exe process with the same privileges as before. Folder properties must appropriately configured to get a new explorer.exe process with each explorer window.

    I don't believe that the explorer.exe process can be run as an elevated process without specific configuration changes, which I know nothing about. That is unless you are running with the administrator account or UAC is fully disabled.
      My Computer


  9. Posts : 80
    Windows 10 Pro 64-Bit 21H1
    Thread Starter
       #9

    Many thanks for the helpful responses. Clearly what I did not understand is illustrated as follows.

    From a Command Prompt:
    Code:
    C:\Users\Admin>whoami /user /groups /fo list
    
    USER INFORMATION
    ----------------
    
    User Name: raven\admin
    SID:       S-1-5-21-1822855413-3360690379-114833963-1001
    
    GROUP INFORMATION
    -----------------
    ...
    Group Name: BUILTIN\Administrators
    Type:       Alias
    SID:        S-1-5-32-544
    Attributes: Group used for deny only
    ...
    
    C:\Users\Admin>
    From an Administrator Command Prompt:
    Code:
    C:\Users\Admin>whoami /user /groups /fo list
    
    USER INFORMATION
    ----------------
    
    User Name: raven\admin
    SID:       S-1-5-21-1822855413-3360690379-114833963-1001
    
    GROUP INFORMATION
    -----------------
    ...
    Group Name: BUILTIN\Administrators
    Type:       Alias
    SID:        S-1-5-32-544
    Attributes: Mandatory group, Enabled by default, Enabled group, Group owner
    ...
    
    C:\Windows\system32>
    Guess all those years working in unix put me in the wrong paradigm. Did not realize that you can be a member of group, but not possess the rights of that group without UAC elevation. Now I understand that an Administrators account logon generates two security tokens: an administrative token (AT) and a standard user token (SUT), which is stripped of any administrative powers.
      My Computer


  10. Posts : 234
    Windows 10 Pro (x64)
       #10

    It works in the same way as Sudo on Linux systems (In theory lets not get into semantic debates). It takes away administrative power until you invoke it with "sudo". UAC is in the same light, it keeps the administrative accounts with limited power until needed. The last thing you want is your browser to have administrative power.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 17:36.
Find Us




Windows 10 Forums