Solved

Permissions on Windows 2012 Server

Posted on 2013-11-05
16
336 Views
Last Modified: 2013-11-07
I am a local admin.   I grabbed a file off a share on another box.  When I try to paste it ANYWHERE BUT my user folder, I get permission errors telling me I must be an admin to paste to the location.  I even changed the settings on the paste location to allow everyone full control but still get the error.

Interestingly, I get similar permission WARNINGS on my local Windows 8 box.  Meaning that I get warned that I must be an admin to paste the file or change the name of a file, etc, but I am still allowed to do it after clicking "continue"

Anyway, back to the 2012 server, what gives?
0
Comment
Question by:cat4larry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 11

Expert Comment

by:Louis01
ID: 39626496
Are you logging on to the machine or a domain?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39626552
Hi.

Sadly, UAC has been around for 7 years now and still people have the same problems understanding it. There are protected locations which you cannot write into without elevating.
Elevation is triggered by two factors here: the need to make use of your administrative powers to get past the ACL and the second is the same need but this time with integrity levels.

So if you modify the ACL and give your own account (and NOT the group administrators) modify-privileges to the folder, there is still the integrity level check that you can only go past after elevating. The IL can be modified using icacls.
0
 

Author Comment

by:cat4larry
ID: 39628524
I suppose I don't completely understand UAC although I find it very counter-intuitive.  If I'm an admin on the box, I log in locally and UAC is set to it's lowest setting I shouldn't encounter any problems move files around IMHO.

I'll look into elevating my IL.

Thanks
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 39628545
The lowest setting is at the bootom, right? Or what do you call "lowest"? Because at the bottom means it is off. After turning it off AND doing a restart you should not encounter any folder restrictions. You really do, I mean, is it really off and restarted?
0
 

Author Comment

by:cat4larry
ID: 39628584
Ah, yes it is off but NO i have not rebooted the server.  Is there a service I can restart instead of rebooting the whole server?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39628594
Sorry, no.
0
 

Author Comment

by:cat4larry
ID: 39628610
Thanks for your help.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39628619
Why did you close it, is the matter solved?
0
 

Author Comment

by:cat4larry
ID: 39628710
Yep
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39628737
Ok, please acknowledge that turning off UAC has side effects that might not be wanted. In fact, it is not only used for security concerns but also application compatibility.
And your original problem is not really one: protected areas are c:\windows, C:\ProgramData, c:\program files and the root of c:, that's all.
0
 

Author Comment

by:cat4larry
ID: 39629022
actually, I rebooted the server and still have the same issue.  So i'm going to have to look into elevating the IL and see what happens.

as you pointed out c: is a protected area. that said on my win 8 machine I cannot ftp a file down to the root of c:.  very frustrating.  I'm an admin and have UAC turned off.  again, this seems to me to be very counter-intuitive.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39629031
> again, this seems to me to be very counter-intuitive.
Well... c: is used by virii because it is a known path, that's why it is restricted, since Windows xp, only Admins may write there. You may (as any user) create Folders on c: and write to them as you like. That said, it should work with UAC off, works for me to create files directly on c: and will work with clean installations - I have no idea what is happening at your side.

Probably the UAC does not stay off for some reason? Please check that.
0
 

Author Comment

by:cat4larry
ID: 39630681
since Windows xp, only Admins may write there.
that's what I mean by counter-intuitive.  I am an Admin.  If I wasn't I wouldn't think it strange that I can't write there.  Like you said, I'll have to look into it.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39630803
Since the UAC technology is present, admin= user. elevated admin=admin.
0
 

Author Comment

by:cat4larry
ID: 39631688
Well, I read an article, did a little regedit hacking and was able to turn off UAC altogether.  

Apparently, starting in Windows 8 and Server 2012, when you slide the UAC slider to the bottom it still runs in what is called "UAC Silent Mode".

By going to HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ and then changing "EnableLUA" to a value of 0, you can turn UAC completely off.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39631775
Right, but even using the slider (lowest level), I did succeed. I wonder why you didn't. Weird.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question