Windows 10: NTFS Permissions Confusion

  1.    10 Aug 2015 #1

    NTFS Permissions Confusion


    I clearly do not understand NTFS permissions. Can someone please help eliminate my confusion.

    When I am signed in to RAVEN\Clayton (local, standard account) and I check Properties->Security on D:\Users\Clayton\Utilities, I find:

    Click image for larger version. 

Name:	q1.png 
Views:	183 
Size:	20.0 KB 
ID:	30157

    To me this indicates that SYSTEM, RAVEN\Administrators, and RAVEN\Clayton (Owner) have Full Control. Clicking Advanced and looking at Effective Access for RAVEN\Admin (local, administrators account):

    Click image for larger version. 

Name:	q2.png 
Views:	4 
Size:	32.4 KB 
ID:	30158

    To me this indicates RAVEN\Admin (a member of RAVEN\Administrators) has Full Control on D:\Users\Clayton\Utilities. All this makes sense to me.

    However, if I sign in as RAVEN\Admin and click on D:\Users\Clayton, I find:

    Click image for larger version. 

Name:	q3.png 
Views:	173 
Size:	4.9 KB 
ID:	30159

    If I try to look at Properties on D:\Users\Clayton, I get:

    Click image for larger version. 

Name:	q4.png 
Views:	181 
Size:	9.2 KB 
ID:	30160

    I simply do not understand this. If RAVEN\Administrators has Full Control on D:\Users\Clayton and all its children, then why does RAVEN\Admin (a member of RAVEN\Administrators) get permission errors? Makes zero sense to me.
      My ComputerSystem Spec

  2.    10 Aug 2015 #2

    How exactly are you logged in as admin?
    Anyways do the same steps but through an elevated command prompt? same errors?

    I personally only studied this part very briefly and it was boring that i didn't pay too much attention to it. If I need to I will review my notes to look into it further but hopefully someone more knowledge will help you out
      My ComputerSystem Spec

  3.    10 Aug 2015 #3

    Your screen shots the permission is set on a sub folder in your user folder. That doesn't mean those same permissions are on the root folder. However, with UAC active an administrator account doesn't have administrative power until they invoke that action with a UAC prompt.
      My ComputerSystem Spec

  4.    10 Aug 2015 #4

    This Admin account, is it one that you made yourself? Because on my Windows 10 system, there is no account Admin.
    And if you made this account, check if it is a member of the Administrators group.

    Administrators is a group account. Any user account that is recognized as an administrator, gets its permissions set by this group policy, but only when the account has been elevated to use administrator rights. "Run as Administrator" is one of those things that elevates your account. Every other user, even users that are recognized as administrators, are logged in as normal users. Administrator rights can only be given when you run things as an administrator.
      My ComputerSystem Spec

  5.    10 Aug 2015 #5

    Actually this makes a great deal of sense.

    With UAC enabled (the default condition with Vista and later) an admin level account does not always have full admin rights. Normally it has only the rights of a standard account which are more limited. That is why you are receiving the error message. Only on request do you have full admin rights.

    This is a security measure. For security reasons it is best to be logged in with a standard account use and use an admin account only when needed. If while using an admin level account and you accidentally run malicious code (very difficult to fully avoid) that code will have your rights and be able to do pretty much anything it wants. That is bad. But if you are using a standard account that malicious code will have very limited scope. That is good.

    UAC is just a more convenient way to run with a standard account for normal use with full admin rights only when needed.

    Edit: Any modern operating system is a lot more complicated than is at first apparent. At first there will be things that seem to make no sense. But when you understand why it all makes sense. Unfortunately reaching that level of understanding is often difficult. That is a price of modern technology.
      My ComputerSystem Spec

  6.    10 Aug 2015 #6

    OK, let me try to clarify. I may be fooling myself, but I believe I understand the difference between the Built-In Administrator account and an account belonging to the Administrators group. An Administrators account IS NOT the Administrator account. An Administrators account can elevate via UAC (Run as administrator) to gain the Administrator account security token.

    I am beginning to wonder if this issue is specific to File Explorer (explorer.exe). Signed in as raven\admin, I can open an administrator command prompt and can read C:\Users\Clayton and any of its children:

    Click image for larger version. 

Name:	q5.png 
Views:	102 
Size:	27.2 KB 
ID:	30229

    However, even using runas to ensure that File Explorer has an elevated security token, when I try to access C:\Users\Clayton I still get an error:

    Click image for larger version. 

Name:	q3.png 
Views:	101 
Size:	4.9 KB 
ID:	30230

    Does this mean that File Explorer simply can not be run with an elevated security token and that permissions must be managed from an administrator command prompt only?
      My ComputerSystem Spec

  7.    10 Aug 2015 #7

    Well, yes. If "Clayton" wants access to that directory (through file explorer) s/he must click on "Continue" to use the Administrator rights to access it and in doing so change the access rights.

    Alternatively you could right click on the folder and change the permissions (and/or owner) directly or (as you have seen) use a command prompt running under Admin which bypasses the whole thing.
      My ComputerSystem Spec

  8.    10 Aug 2015 #8

    The explorer.exe process isn't just used for Windows Explorer. It starts when the user logs in and is always running controlling user interaction with the desktop and more. With default configuration using the runas command to run explorer.exe simply opens a new explorer window with the same explorer.exe process with the same privileges as before. Folder properties must appropriately configured to get a new explorer.exe process with each explorer window.

    I don't believe that the explorer.exe process can be run as an elevated process without specific configuration changes, which I know nothing about. That is unless you are running with the administrator account or UAC is fully disabled.
      My ComputerSystem Spec

  9.    12 Aug 2015 #9

    Many thanks for the helpful responses. Clearly what I did not understand is illustrated as follows.

    From a Command Prompt:
    Code:
    C:\Users\Admin>whoami /user /groups /fo list
    
    USER INFORMATION
    ----------------
    
    User Name: raven\admin
    SID:       S-1-5-21-1822855413-3360690379-114833963-1001
    
    GROUP INFORMATION
    -----------------
    ...
    Group Name: BUILTIN\Administrators
    Type:       Alias
    SID:        S-1-5-32-544
    Attributes: Group used for deny only
    ...
    
    C:\Users\Admin>
    From an Administrator Command Prompt:
    Code:
    C:\Users\Admin>whoami /user /groups /fo list
    
    USER INFORMATION
    ----------------
    
    User Name: raven\admin
    SID:       S-1-5-21-1822855413-3360690379-114833963-1001
    
    GROUP INFORMATION
    -----------------
    ...
    Group Name: BUILTIN\Administrators
    Type:       Alias
    SID:        S-1-5-32-544
    Attributes: Mandatory group, Enabled by default, Enabled group, Group owner
    ...
    
    C:\Windows\system32>
    Guess all those years working in unix put me in the wrong paradigm. Did not realize that you can be a member of group, but not possess the rights of that group without UAC elevation. Now I understand that an Administrators account logon generates two security tokens: an administrative token (AT) and a standard user token (SUT), which is stripped of any administrative powers.
      My ComputerSystem Spec

  10.    12 Aug 2015 #10

    It works in the same way as Sudo on Linux systems (In theory lets not get into semantic debates). It takes away administrative power until you invoke it with "sudo". UAC is in the same light, it keeps the administrative accounts with limited power until needed. The last thing you want is your browser to have administrative power.
      My ComputerSystem Spec


 

Related Threads
USB install - Fat32 OR NTFS ? in Installation and Upgrade
Fresh Installing Windows 10 and before downloading file, I was thinking if I should format my drive to Fat32 OR NTFS OR exFAT? Does it make any difference ? - Plz Guide me.
I took the plunge today and did a clean install of Windows 10 pro downloaded from MSDN. pleased to say it was the best install experience of any OS i've worked with. the performance is also incredible, everything is very snappy & responsive. ...
Activation Confusion in Windows Updates and Activation
Hi All, I know there are many threads about the activation system but I was just wondering if I done it correctly. I downloaded the media creation tool selected upgrade and it upgraded my PC from W8.1 > W10 and the product got activated. ...
Independent Confusion in General Support
The Independent ran a news item this morning on the pricing of W10. The following got my attention.... "..... and business ....."...??? What business? My understanding is that if an organisation (small/medium business, education...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 14:03.
Find Us