1
Consider the following situation.
Let's say I have two interactive local user accounts registered on my machine: Admin
(member of Administrators
group) and Alice
(member of Users
group). Let's say on my hard drive I have a folder Test
with the following security settings:
Owner : Alice
Permissions:
System : Full Control
Administrators: Full Control
Alice : Full Control
Now, if I log in under Admin
account and attempt to open the folder Test
, Windows will initially refuse to do so. It will display a message box saying
"You don't currently have permissions to access this folder"
My first question is: why? I'm logged in as Admin
- a member of Administrators
group - and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?
Now, the aforementioned message box will also offer me the opportunity to "Click Continue to permanently get access to this folder". If I click "Continue", I'll be allowed to open folder Test
. And, as a consequence of that, the security settings of Test
will change to
Owner : Alice
Permissions:
System : Full Control
Administrators: Full Control
Alice : Full Control
Admin : Full Control
As you can see, Windows automatically added an extra entry Admin: Full Control
to the list. After that I will be able to access Test
without any restrictions. However, the above set of security permissions seems to be redundant to me. It already included Administrators: Full Control
entry from the very beginning. Why wasn't that sufficient?
So, my second question is: why would Windows need an extra Admin: Full Control
entry to finally give Admin
that "full control".
What is the formal logic behind this behavior?
Some clarifications
Note, this question is not about my Admin
account not being "all-powerful Administrator that can do whatever he wants". I don't expect my Admin
account to be all-powerful at all. In fact, at the most basic level I don't care about any special rights of my Admin
account. It is just some account that belongs to some group.
My question is about file system access rights granted through group membership.
Consider another example. Let's say I created some random user group called Ugly Ducklings
. And I added regular users Alice
and Bob
to the Ugly Ducklings
group.
Then I create folder DucklingTest
with the following permissions
Owner : Alice
Permissions:
Ugly Ducklings : Full Control
Now, if I log in as Bob
I will indeed have full control over DucklingTest
folder (!).
Why?
Is my Bob
an all-powerful administrator? No. Is my Bob
privileged in any way? No. Do I have to "elevate" Bob
somehow, to perform access to DucklingTest
? No.
So, why does Bob
have full control over DucklingTest
folder?
Easy. Bob
has full control over DucklingTest
folder because Bob
is a member of Ugly Ducklings
group and Ugly Ducklings
group has been granted full control permissions over DucklingTest
. End of story.
How come the same logic does not apply to Admin
and Administrators
? Admin
is a member of Administrators
group and Administrators
group has been granted full control permissions over Test
folder. What's missing here? What kind of extra "control" Windows is trying to enforce in this case by imposing what looks like extra restrictions on members of Administrators
group?
Sorry, this does not look relevant at all. You apparently decided my question is about my
Admin
not being "admin enough". No, this is not what the question is about. Not even close. The question is about file system permissions and their operation with no relation to any "super-rights" supposedly assigned to administrators. I can create a folder owned byAlice
and grantUsers : Full Control
rights on that folder. Under such rights userBob
(also a members ofUsers
) will be able to freely enter that folder. AndBob
is not even a member ofAdministrators
group! – AnT – 2015-11-29T18:02:42.817@AnT Then please clarify your question. As it stands, your question does not mention
Users : Full Control
at all. What your question does say is thatAdmin
doesn't initially have the correct permissions. That is what my answer explains.Admin : Full Control
is not the same asAdministrators: Full Control
.Admin
is a user.Administrators
is a group. – DavidPostill – 2015-11-29T18:11:33.563@AnT "If you want to do something that need Adminstrators privileges using an account created (for example Admin) and placed in Administrators group you will have to either:
" – DavidPostill – 2015-11-29T18:13:02.493
@AnT "Click Continue to permanently get access to this folder" is Confirming the privilege elevation when requested as I stated in my answer. – DavidPostill – 2015-11-29T18:13:58.140
If I grant
Users : Full Control
permission,Bob
will be able to open the folder becauseBob
is a member ofUsers
group. Then whyAdmin
(who is a members ofAdministrators
group) cannot open the same folder in the very same way through the same logic? Again, I don't care how "powerful" (or "powerless" myAdmin
is). All I care about is that myAdmin
is a member ofAdministrators
. Why the logic that allowedBob
to enter does not apply toAdmin
? Why a "mere-mortal" groupUsers
(and thereforeBob
) seems to be less restricted (in group rights) thanAdministrators
group? – AnT – 2015-11-29T18:15:43.917No, clicking "Continue to permanently..." does not perform privilege elevation in its normal sense. It simply performs automatic update of security permissions, as described above. Privilege elevation is always temporary. What happens in this case is permanent. – AnT – 2015-11-29T18:17:29.600
I can create a group named, say,
Ugly Ducklings
. And I can giveUgly Ducklings
full control over folderTest
(and no one else). After than any member ofUgly Ducklings
will be able to freely open that folder and do absolutely anything to it. Why does some random groupUgly Ducklings
work "as expected", whileAdministrators
group doesn't work that way? – AnT – 2015-11-29T18:26:13.577@AnT Answer updated. – DavidPostill – 2015-11-29T18:41:01.990