Administators group confusion

  • Thread starter Thread starter PMcG
  • Start date Start date
P

PMcG

Hello,
I'm currently trying to save a powershell global profile on a Vista SP1
machine and getting a failure, I would appreciate anybody's help with
understanding this failure

Some background
I have a domain account that is a member of a domain local group who in turn
is a member of the local administrators role on the machine. I would expect
this to allow me to act with full
administrative privileges on the box. I verified that I can add a local user
and this was successful.

When attempting to save the global powershell shell profile @
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
using notepad I get the following error
"Cannot create the
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
file. Make sure that the path and file name are correct."

I then tried to use sysinternals handle utility to see if I could view
information on the file access failure but I get "Initialization error: Make
sure that you are an administrator."

I have spent some time searching on the web without any success.



Thanks in advance
Pat
 
Hey Pat,

This could be a case of UAC kicking in. Regardless of whether you are an
administrator (local) or not, UAC will in essense take away your admin
rights and offer you the chance to use them where required. The problem is
that these propmpts happen for known operations such as starting MMC.EXE.

If you are failing to access a path, it may be down to the fact that
notepad.exe just doesn't have admin rights because they're been taken off
you..

Try right-clicking on notepad and use the run as administrator option, or if
you wish, disable UAC (within user accounts in control panel).

Personally I like UAC but you may want to disable it it you are doing admin
tasks all the time.

Let me know if this doesn't help...

Regards,
Jon

http://www.insidetheregistry.com
 
Jon,
Thanks for the reply, your suggestion to explicitly start notepad as the
admin user works. Just adding some more information just in case somebody
else has similar issues.

I normally run as a non admin user on the machine and only escalate to the
admin user when I need to. I keep a seperate powershell shell running as this
admin user and run any admin commands using this instance, so to edit the
global profile i will run the following command "notepad
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1"
which fails as I indicated below when I try to save my changes.

As you indicated this notepad process needs some further escalation due to
UAC, so my only way to acheive this is to disable UAC ?
I too would prefer not to disable UAC which means i may face similar
situations, i tried using handle by right clicking and running as
administrator with success.

This probably means that my previous approach of running an admin shell will
not always work.


Thanks
Pat
 
PMcG said:
Jon,
Thanks for the reply, your suggestion to explicitly start notepad as the
admin user works. Just adding some more information just in case somebody
else has similar issues.

I normally run as a non admin user on the machine and only escalate to the
admin user when I need to.

Well, the same thing happens for user/admin with UAC enabled. The user/admin
has two access tokens assigned to it. One access token assigned is the admin
full rights token. The other access token assigned is the Standard user
token, which is the default assigned to user/admin. User/admin must be
escalated to use the full rights admin token, which is valid only at the
moment of escalation, and then the user/admin is returned to the Standard
rights token.

It's being talked about in the links as to what is happening with a
user/admin and Standard user on Vista with UAC enabled.

http://technet.microsoft.com/en-us/library/cc709691.aspx
http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml
http://technet.microsoft.com/en-us/magazine/cc138019.aspx
http://technet.microsoft.com/en-us/magazine/cc160882.aspx

I keep a seperate powershell shell running as this
admin user and run any admin commands using this instance, so to edit the
global profile i will run the following command "notepad
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1"
which fails as I indicated below when I try to save my changes.

So you take ownership of the file or folder with an user group account such
as Administrtors or a your indiviual user account with either one of them
having full control.

http://www.nirmaltv.com/2008/07/11/how-to-take-ownership-of-files-and-folders-in-vista/

Here is the kicker, C:\Program Files and C:\Windows are protected folder and
folders and files with in those folders are protected. You'll notice this
if you go to some to the folders and try to add a new account to the folder
to give permissions for the account, change permissions for an existing
account or delete an account off on the folders. You can't do it, even as
Admin. About the only thing you can do is take ownership

You can make a new folder and add user accounts, change, and delete user
accounts on that folder. I'll get to this a little later.
As you indicated this notepad process needs some further escalation due to
UAC, so my only way to acheive this is to disable UAC ?

No, you can leave UAC enabled and use this account, which has full rights at
all times, because its privileges are already escalated automatically, UAC
doesn't prompt that account, and it doesn't need Run as Administrator.

http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/

You can also get permissions set for user/admin to circumvent permission
conflict, because Vista, UAC and NTFS look at you being part of the
Administrator group and your individual user account permissions combined.
I too would prefer not to disable UAC which means i may face similar
situations, i tried using handle by right clicking and running as
administrator with success.

Here is a something you can do to see what is happening on permissions
conflict for user/admin on Vista.

1) Go to the Program Files and create a new directory call it *Test*. Vista
should allow you to create the directory even as you being Admin on the
machine.

2) Start Notepad enter some text and try to SaveAs with the file to Program
Files/Test. You should get permission denied. Yeah, you're getting it even
if the account you're using is your Admin account.

3) Come out of Notepad, forget the save, and cancel out of Notepad.

4) Go to the directory and to the Security tab for the directory and add a
new account to the security account list. It's going to be the User account
you login to the computer with as Admin. If you login with *PMcG* as
admin on the machine, then you're going to add *PMcG* as another account
the will have access to the directory.

5) You'll set *PMcG* to have Full Control just as Administrators has Full
Control of the folder.

6) Go back to step # 2 with Notepad and try to SaveAs the file to Program
Files\Test. You should be able to save the file.

Hopefully, you'll see the issue of account permissions conflict for the
user/admin on Vista.

On one hand, your account is in the Administrators group account. But on the
other hand, your account is part of the User group account. If your user
account *PMcG* is not on the folder with the same rights as as
Administrators, there is going to be a permissions conflict, because Vista
with UAC enabled is looking at the combined rights of those two accounts in
some situations.

What Vista defaults to is Users account group permissions on the directory
if it doesn't see your individual user account on the folder, and Users
doesn't have Full Control.

This is because on Vista with UAC enabled, a user/admin on Vista is not an
Admin with Full rights, like it is on XP or Win 2k.

So, if you add your user account to <c> with full rights, then it will show
as an account you can use to take ownership of folders or files.

BTW, built-in Administrator can't do anything on Program Files and
C:\Windows but allow you to take ownership. Also, even if disable UAC,
user/admin the one you get from Vista out of the box or any new user/admin
accounts will never have full admin rights, because those accounts don't
inherit full admin rights from the Administrator account, like it does on
XP.
 
Back
Top