Because he Vista/Win7/Win2K8 codebase introduced the idea of trust levels(aka integrity mechanisms) that map to user accounts.
Thus even if you have specific perms on an object, if the object is mapped to a trust level higher than yours currently, then to invoke an action on it requires an explicit allow, hence the UAC prompt and/or RunAs. Interesting idea, and the Win7 implementation is much better than Vista's but still not entirely sure I like it. Russunovich had a good article on it. -sc From: David Lum [mailto:[email protected]] Sent: Wednesday, February 17, 2010 10:51 AM To: NT System Admin Issues Subject: Quiz du jour Today I was asked: "What's the point of NTFS ACLs if, when having full control to a file I still have to run-as" I knew the answer once but a quick search comes up empty for me. Anyone? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
