Windows 10: NTFS Permissions Confusion

I clearly do not understand NTFS permissions. Can someone please help eliminate my confusion.

When I am signed in to RAVEN\Clayton (local, standard account) and I check Properties->Security on D:\Users\Clayton\Utilities, I find:





To me this indicates that SYSTEM, RAVEN\Administrators, and RAVEN\Clayton (Owner) have Full Control. Clicking Advanced and looking at Effective Access for RAVEN\Admin (local, administrators account):





To me this indicates RAVEN\Admin (a member of RAVEN\Administrators) has Full Control on D:\Users\Clayton\Utilities. All this makes sense to me.

However, if I sign in as RAVEN\Admin and click on D:\Users\Clayton, I find:





If I try to look at Properties on D:\Users\Clayton, I get:





I simply do not understand this. If RAVEN\Administrators has Full Control on D:\Users\Clayton and all its children, then why does RAVEN\Admin (a member of RAVEN\Administrators) get permission errors? Makes zero sense to me.

:)

 

Contact the Administrator to obtain permission.

Sounds like a Windows access rights issue. You are trying to save to a folder that belongs to the system or another Windows userid/account on the computer.

You will have to grant yourself access rights to the folder:

(optional) How to fix Access Rights problem
Sometimes the problem has been that Windows has had problems granting the right access to files, folders and the registry. The following tips provide some workarounds.

As you go from XP to Vista to Win7 certain operations require higher access rights to perform. These access rights are “higher” than even those granted to the Administrator ID by default. These “elevated” rights are accessed by way of the UAC confirmation
dialog which is invoked when you select to “Run As Administrator”.

In theory, any one of the following tips should work. The process is: run one of the fixes, run each affected Office app, reboot TWICE (sorry, I don’t know why, but there appears to be some “Voodoo” at play here. We do it because it works!)
TWICE (sorry, I don’t know why, but there appears to be some “Voodoo” at play here. We do it because it works!), try the office apps again to confirm the fix worked.

Add Take Owner to Win 10 Context menu
Add Take Ownership to Context Menu in Windows 10

How to take ownership and get full access to files and folders in Windows 10

Take ownership of files and get full access in Windows 10

(optional) NTFS Permissions Reporter (free tool) – What are the NTFS permissions?

FREE: NTFS Permissions Reporter - What are the NTFS permissions?

This is a good tool for reporting on file access rights

Access Rights FYI: How to Understand Those Confusing Win7 File / Share Permissions

How to Understand Those Confusing Windows 7 File/Share Permissions

FYI: One person had to fix access rights to their own userid %TEMP% folder.

 

Windows 10, Which File Permissions to protect Photos

Before setting permissions, it is necessary to know what the permissions do.

I have found a good starting link by searching for 'NTFS Permissions' which leads to several links explaining what each permission specifies.

Really good link is NTFS Permissions

 

How exactly are you logged in as admin?
Anyways do the same steps but through an elevated command prompt? same errors?

I personally only studied this part very briefly and it was boring that i didn't pay too much attention to it. If I need to I will review my notes to look into it further but hopefully someone more knowledge will help you out *Smile

 

Your screen shots the permission is set on a sub folder in your user folder. That doesn't mean those same permissions are on the root folder. However, with UAC active an administrator account doesn't have administrative power until they invoke that action with a UAC prompt.

 

This Admin account, is it one that you made yourself? Because on my Windows 10 system, there is no account Admin.
And if you made this account, check if it is a member of the Administrators group.

Administrators is a group account. Any user account that is recognized as an administrator, gets its permissions set by this group policy, but only when the account has been elevated to use administrator rights. "Run as Administrator" is one of those things that elevates your account. Every other user, even users that are recognized as administrators, are logged in as normal users. Administrator rights can only be given when you run things as an administrator.

 

Actually this makes a great deal of sense.

With UAC enabled (the default condition with Vista and later) an admin level account does not always have full admin rights. Normally it has only the rights of a standard account which are more limited. That is why you are receiving the error message. Only on request do you have full admin rights.

This is a security measure. For security reasons it is best to be logged in with a standard account use and use an admin account only when needed. If while using an admin level account and you accidentally run malicious code (very difficult to fully avoid) that code will have your rights and be able to do pretty much anything it wants. That is bad. But if you are using a standard account that malicious code will have very limited scope. That is good.

UAC is just a more convenient way to run with a standard account for normal use with full admin rights only when needed.

Edit: Any modern operating system is a lot more complicated than is at first apparent. At first there will be things that seem to make no sense. But when you understand why it all makes sense. Unfortunately reaching that level of understanding is often difficult. That is a price of modern technology.

 

OK, let me try to clarify. I may be fooling myself, but I believe I understand the difference between the Built-In Administrator account and an account belonging to the Administrators group. An Administrators account IS NOT the Administrator account. An Administrators account can elevate via UAC (Run as administrator) to gain the Administrator account security token.

I am beginning to wonder if this issue is specific to File Explorer (explorer.exe). Signed in as raven\admin, I can open an administrator command prompt and can read C:\Users\Clayton and any of its children:





However, even using runas to ensure that File Explorer has an elevated security token, when I try to access C:\Users\Clayton I still get an error:





Does this mean that File Explorer simply can not be run with an elevated security token and that permissions must be managed from an administrator command prompt only?

 

Well, yes. If "Clayton" wants access to that directory (through file explorer) s/he must click on "Continue" to use the Administrator rights to access it and in doing so change the access rights.

Alternatively you could right click on the folder and change the permissions (and/or owner) directly or (as you have seen) use a command prompt running under Admin which bypasses the whole thing.

 

The explorer.exe process isn't just used for Windows Explorer. It starts when the user logs in and is always running controlling user interaction with the desktop and more. With default configuration using the runas command to run explorer.exe simply opens a new explorer window with the same explorer.exe process with the same privileges as before. Folder properties must appropriately configured to get a new explorer.exe process with each explorer window.

I don't believe that the explorer.exe process can be run as an elevated process without specific configuration changes, which I know nothing about. That is unless you are running with the administrator account or UAC is fully disabled.

 

Many thanks for the helpful responses. Clearly what I did not understand is illustrated as follows.

From a Command Prompt:
Code: C:\Users\Admin>whoami /user /groups /fo list USER INFORMATION ---------------- User Name: raven\admin SID: S-1-5-21-1822855413-3360690379-114833963-1001 GROUP INFORMATION ----------------- ... Group Name: BUILTIN\Administrators Type: Alias SID: S-1-5-32-544 Attributes: Group used for deny only ... C:\Users\Admin>[/quote] From an Administrator Command Prompt:
Code: C:\Users\Admin>whoami /user /groups /fo list USER INFORMATION ---------------- User Name: raven\admin SID: S-1-5-21-1822855413-3360690379-114833963-1001 GROUP INFORMATION ----------------- ... Group Name: BUILTIN\Administrators Type: Alias SID: S-1-5-32-544 Attributes: Mandatory group, Enabled by default, Enabled group, Group owner ... C:\Windows\system32>[/quote] Guess all those years working in unix put me in the wrong paradigm. Did not realize that you can be a member of group, but not possess the rights of that group without UAC elevation. Now I understand that an Administrators account logon generates two security tokens: an administrative token (AT) and a standard user token (SUT), which is stripped of any administrative powers.

 

It works in the same way as Sudo on Linux systems (In theory lets not get into semantic debates). It takes away administrative power until you invoke it with "sudo". UAC is in the same light, it keeps the administrative accounts with limited power until needed. The last thing you want is your browser to have administrative power.