Try right clicking on Explorer and run as administrator. Jon
On Wed, Jul 15, 2009 at 1:08 PM, Miller Bonnie L. < [email protected]> wrote: > Yes—If I run cmd as administrator and then run explorer.exe, I still have > trouble. That’s why I had the question about whether explorer really runs > as administrator or whether it is changing with the focus changes. > > > > In fact, okay, this is interesting… > > I run cmd as administrator and just run explorer and navigate to e:\files—I > get the UAC prompt when opening the folder. When trying to change > permissions, I edit and add someone with read, and get the “access denied”. > > > If I run cmd as administrator and then run “explorer e:\files”, to open > that folder. Now, I can change perms with no errors, and can even navigate > around and still have administrator permissions. What the heck? > > > > Can anyone confirm if they see the same thing? I get this on both WS08 and > Vista, but our machines are all in the same domain and likely have similar > policies. > > > > -Create a folder while logged on as a domain admin. > > -Remove inheritable permissions > > -Remove all accounts except administrators and system full control, and ok > out of the security window. > > -Edit security again and try to add a group or user. When applying, this > is where I get access denied. > > > > -B > > > > *From:* Carl Houseman [mailto:[email protected]] > *Sent:* Wednesday, July 15, 2009 9:49 AM > *To:* NT System Admin Issues > *Subject:* RE: UAC--argh... > > > > Or elevate a command prompt, then type "explorer" at the command line and > now you have an elevated Explorer. > > > > Carl > > > > *From:* Rob Bonfiglio [mailto:[email protected]] > *Sent:* Wednesday, July 15, 2009 12:46 PM > *To:* NT System Admin Issues > *Subject:* Re: UAC--argh... > > > > Have you tried assigning permissions via an elevated command line or > powershell? > > On Wed, Jul 15, 2009 at 12:41 PM, Miller Bonnie L. < > [email protected]> wrote: > > So, I’ve been trying REALLY hard to just get used to UAC with WS08, but now > that we have some actual file servers coming online, using windows explorer > to assign permissions is driving me absolutely batty. > > > > Example: While logged on with a domain admin account on a WS08 SP2 member > server, I create a folder on the root of the hard drive (let’s call it > E:\Files). Then, we remove inherited permissions and strip the list down to > administrators and system full, and sometimes add domain admins with full, > since that is the group here who can work with user files. Then, we assign > the permissions for domain groups who need access. Folder can be shared out > with Everyone Full, but the sharing isn’t really part of the problem. > > > What I’ve listed above, which is fine on WS03, never seems to be enough > permission for UAC, and I’ll get “access denied” errors when trying to apply > permissions. If I add my account explicitly (the domain admin I’m logged on > as), it then works. But if there is a subfolder (let’s say > E:\Files\Butterflies) that I’m not added onto, then applying higher level > permissions will make it stop and bark about permissions for that > subfolder. There can be a lot of subfolders, and it stops on each one. > > > > Leaving the “everyone” permissions or creator owner on there when setting > up the folder seems to help sometimes, but then you end up with more > permissions than we want on something, and with creator owner there seem to > be added permissions. Explorer.exe can’t be run in “compatability mode” so > I can’t set it to run elevated, but I find that if I run it as administrator > I seem to still have problems—it’s almost like each time you change the > focus in explorer it re-evaluates your credentials. > > > > Do other people have this trouble, and if so, *what are you doing to > handle this?* Here are some options I see: > > 1) Assign explicit permissions for administrative accounts on all > files and folders—yikes! Would this work with a domain group, as long as > it’s not domain admins (or something else in administrators)? > > 2) Log on with THE local administrator account when we need to work on > permissions. (Yuk, getting prompted for domain credentials every time we > need to browse the domain to add a group. Also bad having multiple admins > logging on the same account all the time). > > 3) Suck it up and wait for R2, because they’ve made this “better” > somehow? > > 4) When creating a folder, leave permissions at the “default”. Add > groups that need access, and restrict the share-level permissions to just > those groups (another yuk, especially since we are really getting away from > sharing out every folder). > > 5) Something else? I was reading up on UAC on technet ( > http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx), but I’m > not sure if I could gain or lose anything by doing something like disabling > admin approval mode or changing the elevation prompt for administrators. > I’m concerned that this might really negate the security benefit of having > UAC in the first place on a server. > > 6) Turn off UAC—honestly, I really don’t want to do this unless there > is no other option. > > > > -Bonnie > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
