PMcG said:
Jon,
Thanks for the reply, your suggestion to explicitly start notepad as the
admin user works. Just adding some more information just in case somebody
else has similar issues.
I normally run as a non admin user on the machine and only escalate to the
admin user when I need to.
Well, the same thing happens for user/admin with UAC enabled. The user/admin
has two access tokens assigned to it. One access token assigned is the admin
full rights token. The other access token assigned is the Standard user
token, which is the default assigned to user/admin. User/admin must be
escalated to use the full rights admin token, which is valid only at the
moment of escalation, and then the user/admin is returned to the Standard
rights token.
It's being talked about in the links as to what is happening with a
user/admin and Standard user on Vista with UAC enabled.
http://technet.microsoft.com/en-us/library/cc709691.aspx
http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml
http://technet.microsoft.com/en-us/magazine/cc138019.aspx
http://technet.microsoft.com/en-us/magazine/cc160882.aspx
I keep a seperate powershell shell running as this
admin user and run any admin commands using this instance, so to edit the
global profile i will run the following command "notepad
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1"
which fails as I indicated below when I try to save my changes.
So you take ownership of the file or folder with an user group account such
as Administrtors or a your indiviual user account with either one of them
having full control.
http://www.nirmaltv.com/2008/07/11/how-to-take-ownership-of-files-and-folders-in-vista/
Here is the kicker, C:\Program Files and C:\Windows are protected folder and
folders and files with in those folders are protected. You'll notice this
if you go to some to the folders and try to add a new account to the folder
to give permissions for the account, change permissions for an existing
account or delete an account off on the folders. You can't do it, even as
Admin. About the only thing you can do is take ownership
You can make a new folder and add user accounts, change, and delete user
accounts on that folder. I'll get to this a little later.
As you indicated this notepad process needs some further escalation due to
UAC, so my only way to acheive this is to disable UAC ?
No, you can leave UAC enabled and use this account, which has full rights at
all times, because its privileges are already escalated automatically, UAC
doesn't prompt that account, and it doesn't need Run as Administrator.
http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/
You can also get permissions set for user/admin to circumvent permission
conflict, because Vista, UAC and NTFS look at you being part of the
Administrator group and your individual user account permissions combined.
I too would prefer not to disable UAC which means i may face similar
situations, i tried using handle by right clicking and running as
administrator with success.
Here is a something you can do to see what is happening on permissions
conflict for user/admin on Vista.
1) Go to the Program Files and create a new directory call it *Test*. Vista
should allow you to create the directory even as you being Admin on the
machine.
2) Start Notepad enter some text and try to SaveAs with the file to Program
Files/Test. You should get permission denied. Yeah, you're getting it even
if the account you're using is your Admin account.
3) Come out of Notepad, forget the save, and cancel out of Notepad.
4) Go to the directory and to the Security tab for the directory and add a
new account to the security account list. It's going to be the User account
you login to the computer with as Admin. If you login with *PMcG* as
admin on the machine, then you're going to add *PMcG* as another account
the will have access to the directory.
5) You'll set *PMcG* to have Full Control just as Administrators has Full
Control of the folder.
6) Go back to step # 2 with Notepad and try to SaveAs the file to Program
Files\Test. You should be able to save the file.
Hopefully, you'll see the issue of account permissions conflict for the
user/admin on Vista.
On one hand, your account is in the Administrators group account. But on the
other hand, your account is part of the User group account. If your user
account *PMcG* is not on the folder with the same rights as as
Administrators, there is going to be a permissions conflict, because Vista
with UAC enabled is looking at the combined rights of those two accounts in
some situations.
What Vista defaults to is Users account group permissions on the directory
if it doesn't see your individual user account on the folder, and Users
doesn't have Full Control.
This is because on Vista with UAC enabled, a user/admin on Vista is not an
Admin with Full rights, like it is on XP or Win 2k.
So, if you add your user account to <c> with full rights, then it will show
as an account you can use to take ownership of folders or files.
BTW, built-in Administrator can't do anything on Program Files and
C:\Windows but allow you to take ownership. Also, even if disable UAC,
user/admin the one you get from Vista out of the box or any new user/admin
accounts will never have full admin rights, because those accounts don't
inherit full admin rights from the Administrator account, like it does on
XP.