 |
 |
Administrator accounts in 2008 (Vista/Win7/2k8R2) have two user tolkens: a standard restricted user and the administrator. By default, file operations, scripts, programs, and whatever else by default run with the restricted user tolken. Some programs will be compiled to know that they need admin rights and will throw up an elevation prompt for you in the secure desktop whenever you run them. There are also some heuristics in Windows that will prompt to elevate things that it thinks it needs to (typically installers). Beyond that if you are hitting something that won't work, right click on it and tell it to run as administrator, go to the properties of the shortcut/program and change the compatibility settings so it always prompts you for admin rights when run, or in the case of automated scripts have them run with the local system account so they will inherently have the permissions they need to access files. The overarching goal of this is to push user files in to the user profile where they belong. So if you have the option, write your files out there where they belong and you won't get hassled. If you're dealing with special cases, make sure the users group have modify rights to the location you are writing to. As for turning off UAC, well... Don't. Windows' biggest security liabilities have traditionally come from their "everything is administrator" DOS-era mentality; A terrible idea. This is a shift to a more linux-esque set of access restrictions to keep every single buffer overflow exploit from being able to potentially root your system and is a Very Good Thing. Turning off UAC also disables file system integrity levels, which IE's protected mode (sandboxing) relies on. The Least-privileged User Account framework is something you're going to need to learn to work with and conform to until you are ok with putting your system integrity and security at risk. -----Original Message----- From: Bill Wheeler [mailto:[log in to unmask]] Sent: Friday, September 24, 2010 12:15 PM Subject: Windows 2008 file system (newbie-?) Hi, all-- This is probably a newbie question: I haven't had a chance to really learn Windows 2008 yet. I host some Windows 2003 file servers on which users sometimes share executable files along with their data files. We're looking at moving to Windows 2008, but it seems that whenever a folder contains an executable file, some form of write-protection is applied to the folder, affecting administrators as well as users. My "effective permissions" are 'Full Control', but when I try to overwrite a file in the folder I get "access is denied." I've heard that this is a "feature" of Windows 2008, to prevent malicious overwriting of executable files. Is there a way to get around this, or turn it off? Thanks! --Bill. ---------------------- Bill Wheeler, Systems Administrator Michigan State University Libraries [log in to unmask] (517)884-0882