Solved

Permissions on Windows 2012 Server

Posted on 2013-11-05
16
328 Views
Last Modified: 2013-11-07
I am a local admin.   I grabbed a file off a share on another box.  When I try to paste it ANYWHERE BUT my user folder, I get permission errors telling me I must be an admin to paste to the location.  I even changed the settings on the paste location to allow everyone full control but still get the error.

Interestingly, I get similar permission WARNINGS on my local Windows 8 box.  Meaning that I get warned that I must be an admin to paste the file or change the name of a file, etc, but I am still allowed to do it after clicking "continue"

Anyway, back to the 2012 server, what gives?
0
Comment
Question by:cat4larry
  • 8
  • 7
16 Comments
 
LVL 11

Expert Comment

by:Louis01
ID: 39626496
Are you logging on to the machine or a domain?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39626552
Hi.

Sadly, UAC has been around for 7 years now and still people have the same problems understanding it. There are protected locations which you cannot write into without elevating.
Elevation is triggered by two factors here: the need to make use of your administrative powers to get past the ACL and the second is the same need but this time with integrity levels.

So if you modify the ACL and give your own account (and NOT the group administrators) modify-privileges to the folder, there is still the integrity level check that you can only go past after elevating. The IL can be modified using icacls.
0
 

Author Comment

by:cat4larry
ID: 39628524
I suppose I don't completely understand UAC although I find it very counter-intuitive.  If I'm an admin on the box, I log in locally and UAC is set to it's lowest setting I shouldn't encounter any problems move files around IMHO.

I'll look into elevating my IL.

Thanks
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39628545
The lowest setting is at the bootom, right? Or what do you call "lowest"? Because at the bottom means it is off. After turning it off AND doing a restart you should not encounter any folder restrictions. You really do, I mean, is it really off and restarted?
0
 

Author Comment

by:cat4larry
ID: 39628584
Ah, yes it is off but NO i have not rebooted the server.  Is there a service I can restart instead of rebooting the whole server?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39628594
Sorry, no.
0
 

Author Comment

by:cat4larry
ID: 39628610
Thanks for your help.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39628619
Why did you close it, is the matter solved?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:cat4larry
ID: 39628710
Yep
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39628737
Ok, please acknowledge that turning off UAC has side effects that might not be wanted. In fact, it is not only used for security concerns but also application compatibility.
And your original problem is not really one: protected areas are c:\windows, C:\ProgramData, c:\program files and the root of c:, that's all.
0
 

Author Comment

by:cat4larry
ID: 39629022
actually, I rebooted the server and still have the same issue.  So i'm going to have to look into elevating the IL and see what happens.

as you pointed out c: is a protected area. that said on my win 8 machine I cannot ftp a file down to the root of c:.  very frustrating.  I'm an admin and have UAC turned off.  again, this seems to me to be very counter-intuitive.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39629031
> again, this seems to me to be very counter-intuitive.
Well... c: is used by virii because it is a known path, that's why it is restricted, since Windows xp, only Admins may write there. You may (as any user) create Folders on c: and write to them as you like. That said, it should work with UAC off, works for me to create files directly on c: and will work with clean installations - I have no idea what is happening at your side.

Probably the UAC does not stay off for some reason? Please check that.
0
 

Author Comment

by:cat4larry
ID: 39630681
since Windows xp, only Admins may write there.
that's what I mean by counter-intuitive.  I am an Admin.  If I wasn't I wouldn't think it strange that I can't write there.  Like you said, I'll have to look into it.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39630803
Since the UAC technology is present, admin= user. elevated admin=admin.
0
 

Author Comment

by:cat4larry
ID: 39631688
Well, I read an article, did a little regedit hacking and was able to turn off UAC altogether.  

Apparently, starting in Windows 8 and Server 2012, when you slide the UAC slider to the bottom it still runs in what is called "UAC Silent Mode".

By going to HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ and then changing "EnableLUA" to a value of 0, you can turn UAC completely off.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39631775
Right, but even using the slider (lowest level), I did succeed. I wonder why you didn't. Weird.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now