Tuesday, November 15, 2011

Windows 2008 R2 folder security issue and UAC

It is incredible how many Windows system administrators have been impacted by the introduction of UAC in Windows 2008 R2. These days I have been asked how to solve general security issues with folder security in 2008 R2. These issues weren't present in previous Windows versions such as Windows 200/2003, that's why many of us were surprised by new unknown behaviors.

In particular people were facing a situation in which on some folders or drives, when opening the Properties window as a member of the local Administrators group and selecting the Security tab, they had to click on 'Continue' before they could see the folder NTFS permissions.

The particular message shown was: 

"To continue, you must be an administrative user with permission to view this object's security properties. Do you want to continue?" 

and they were supposed to click the 'Continue' button.

If they explicitly granted the very same user account Full Control access to the folder, the NTFS permissions showed up without any further hassle.

In the same context, they got an 'Access Denied' error on the same folders even if they were members of the local Administrators group. Enabling Auditing on these folders showed up many 4656 events telling that their access was not granted.

If you have this problem also, the solution is simple: lower UAC to 0, following the procedure I have posted here:

How to disable UAC

How to disable UAC for System Administrators only

UAC is a major change (or 'improvement' if you wish..) in Windows 2008 R2, but it can be a real obstacle to everyday sysadmin tasks. So getting rid of it can sometimes be the only possible solution.

Do not hesitate to comment if you find this post useful or if you wan to share your point of view on UAC.

2 comments:

  1. Turning off UAC is bad advice. Just like telling people to disable the firewall when lacking network access.

    ReplyDelete
    Replies
    1. People are free to do what they think right. I am just explaining how to do it, not telling them to do it.

      Delete

Related Posts Plugin for WordPress, Blogger...