I had a rather interesting experience with User Account Control (UAC) on Windows Server 2008 while configuring file shares today during the rollout of Adur & Worthing CAB’s new IT infrastructure.
We were setting file permissions for the data store area, where advisers and staff would keep their files. Naturally we didn’t want advisers having access to certain management folders, so we didn’t give them access. We found though, that Server 2008 had added ‘Authenticated Users’ to the default ACL on the drive containing all the data, so we removed it because otherwise it would give everyone access everywhere, which isn’t something we wanted. Upon removing the Authenticated Users principle, I suddenly couldn’t access the drive! Windows Explorer kept prompting me to force allow myself, which was rather curious because Administrators (of which I was a member) still had full rights…
Well, this kind of makes sense because Server 2008 includes User Account Control which, in a nutshell, provides every user application with a standard user security token, rather than an administrative token that can access everywhere and in particular authenticate within the administrators group. OK, I thought so let’s try running explorer as an Administrator… no dice, Windows Explorer would still not let me into the data drive, but curiously an elevated command prompt would let me in and list files and security information. Logging back into the server as the Administrator user was fine and I was able to access the drive that way and I was able to check that I should indeed have full access to the drive.
Then (about 3 hours later) it struck me. Windows Explorer is a rather clever beast that tries its hardest to only run a single instance of itself, so a new instance of Explorer will notice that it’s already running and send a message to the original instance, which will show whatever folder you told it to. Normally this is fine, but it means that the Windows Explorer you thought you were running as an administrator has just palmed off its responsibilities to an unelevated process. This unelevated process still won’t authenticate under the Administrators group and so won’t let me access the drive I’ve just apparently messed up.
So to solve the issue, I ran an elevated command prompt, used task manager to kill the unelevated explorer.exe process acting as the shell and used the elevated command prompt to make a new explorer that would give me a nice new elevated shell. Hax or what?
I hate UAC with a passion, it’s entirely pointless and causes completely unintuitive bugs like the one I witnessed today. I always recommend turning off UAC and just running as a standard user if you really feel the need to. That way, when you’re logged on as an Administrative user, you’re actually an Administrative user, not a normal user with a clickable continue button.
In other news, development on Webflex and the new AIFHS website has been indefinitely postponed.
0 comments:
Post a Comment