Standard user able to access Admin folders?

dirkd · 22 Nov 2017

Hello,

Not sure if this is by default, but I've noticed it on 3 different computers. 2 running Windows 10 Home, 1 running Windows 10 Pro. When logged on as standard user, I'm able to access the folders of an Administrator. I may get prompted for password the first time, but after logging off, restarting, etc, I'm still able to access the folders forever after that. Not sure if there's something I'm doing to accidentally enable this.

Any ideas??

Try3 · 23 Nov 2017

Dirk,

The password you entered earlier was that of an Admin user account and it permanently authorised your access to the folder concerned.

You will be able to see this by right-clicking on the folder, selecting Properties, Security tab - your standard user account name will be shown as having permission to access the folder. You can change that entry to undo what you have done if you want to [use either Edit or Advanced].

Change Permissions of Objects for Users and Groups in Windows 10 User Accounts Tutorials

Denis

dirkd · 23 Nov 2017

Thanks for the reply.

Why would it be permanent, even after a reboot? That seems to defy the fundamental separation of Admins and users.
If this is the default, how can I set it to prompt for a password each time?

TairikuOkami · 23 Nov 2017

Default standard user has more rights than admin with full UAC.

Set ConsentPromptBehaviorUser to 0 to block any admin tasks.

Code:

rem 0 - Elevate without prompting / 1 - Prompt for credentials on the secure desktop / 2 - Prompt for consent on the secure desktop / 3 - Prompt for credentials / 4 - Prompt for consent / 5 (Default) - Prompt for consent for non-Windows binaries
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f

rem 0 - Automatically deny elevation requests / 1 - Prompt for credentials on the secure desktop / 3 (Default) - Prompt for credentials
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f

rem 2 (Default)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableFullTrustStartupTasks" /t REG_DWORD /d "0" /f

rem Detect application installations and prompt for elevation / 1 - Enabled (default for home) / 0 - Disabled (default for enterprise)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f

rem Run all administrators in Admin Approval Mode / 0 - Disabled (UAC) / 1 - Enabled (UAC)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f

rem Only elevate UIAccess applications that are installed in secure locations / 0 - Disabled / 1 (Default) - Enabled
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f

rem 0 (Default) = Disabled / 1 - Enabled
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUwpStartupTasks" /t REG_DWORD /d "0" /f

rem Allow UIAccess applications to prompt for elevation without using the secure desktop / 0 (Default) = Disabled / 1 - Enabled
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f

rem 0 - Disabled / 1 - Enabled (Default)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f

rem Admin Approval Mode for the built-in Administrator account / 0 (Default) - Disabled / 1 - Enabled
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f

rem Allow UIAccess applications to prompt for elevation without using the secure desktop / 0 (Default) - Disabled / 1 - Enabled
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f

rem 1 - Enable command-line auditing
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d "1" /f

dirkd · 24 Nov 2017

Thanks for the replies.

I think ConsentPromptBehaviorUser is the only one I'm looking for, but it doesn't prompt each time. It grants access permanently.

Setting it to 1 or 3 seems to do the same thing. 0 completely denies it.

I want it to prompt for password each time, or at least after a reasonable period of time, or a reboot, etc.

Bree · 24 Nov 2017

dirkd said:

When logged on as standard user, I'm able to access the folders of an Administrator. I may get prompted for password the first time, but after logging off, restarting, etc, I'm still able to access the folders forever after that....

You were explicitly told that this would happen. When you first tried to access the administrator's folder you saw...

Standard user able to access Admin folders?-get-permissions.png

...and you were asked for the password after you clicked Continue.

dirkd · 24 Nov 2017

Correct.

I also asked "If this is the default, how can I set it to prompt for a password each time"?

Bree · 25 Nov 2017

By granting yourself access to the administrator's folders you have added your account to the permissions for those folders. This is the way Windows has always worked, it was the same in Windows 7. You can't change the way Windows works on permissions.

If you want to be asked for a password next time, you need to look at the Security Properties for that folder and remove your account from those granted access.

dirkd · 28 Nov 2017

Thanks for the info.