I don’t understand changes to Vista/7/2008 NTFS permissions

Posted on

QUESTION :

In NT prior to Vista, if you created a local folder and were in the Administrators group and gave that folder Full Control, you could access that folder locally. Now in Vista/7/2008 it says “would you like to add yourself permanently to this folder?” and then you click proceed and it adds your account.

If you just have:

SYSTEM
Administrators

It padlocks the folder and does the question prompt.

However if you have one of the following:

SYSTEM
Administrators
[another group to which you are a member and have access to the folder with] OR
Authenticated Users group [with read or more] OR
CREATOR OWNER [but it will just re-add your user account if you leave CREATOR OWNER]

It doesn’t padlock the folder and acts as you’d expect.

Why does this work this way? This seems counter-intuitive to me.
It seems like it opens up a potential to confuse people and introduce security holes.
Is there a “best practice” and if so, what it is?

ANSWER :

What you’re missing is that thanks to UAC, the software you run most of the time doesn’t have the Administrators token applied. So if the only ACEs are for System and Administrators, you don’t have access unless you elevate.

Leave a Reply

Your email address will not be published.