Re: For those of you who have disabled UAC while using user/admin, you don't have full admin rights -- <VBG>!

Zaphod Beeblebrox wrote:
"Paul Montgumdrop" <Paul@xxxxxxxxxxxxxxx> wrote in message news:%23zwmN$KJJHA.5656@xxxxxxxxxxxxxxxxxxxxxxx
Zaphod Beeblebrox wrote:
"Paul Montgumdrop" <Paul@xxxxxxxxxxxxxxx> wrote in message news:e9jVpmAJJHA.5900@xxxxxxxxxxxxxxxxxxxxxxx
Zaphod Beeblebrox wrote:
"Paul Montgumdrop" <Paul@xxxxxxxxxxxxxxx> wrote in message news:%2391CKh9IJHA.1556@xxxxxxxxxxxxxxxxxxxxxxx
Zaphod Beeblebrox wrote:
You explaine that to me. Why can't I do it as user/admin.
See above. In Vista, an admin user doesn't have permissions to do everything they did in previous verions of Windows, but still has the ability to take ownership and change permissions. You'll have to be a bit more specific for me to be able to comment further. Unless of course you already have, and don't want to repeat yourself.

The rest of what you have talked about before this about the block, I could care less about it.

And I have said all of this above there. And I am also saying that even if you take ownership in some situations, you're still going to get *access denied*.
Right, and then you set permisssions on the object (because as the owner of the object, you have the ability to do that), and all is well.

Because if it was the case as you indicate when someone takes ownership then the problems should be resolved. Sometimes that fixes it and sometimes that does not fix the problem, taking ownership, because I have seen the posts.
As I said, taking ownership by itself does not necessarily fix permissions problems. Often, you have to set the permissions after taking ownership of the object. I've never seen it fail when done that way, unless it wasn't done properly (and then, doing it properly fixes it).

Really, all one has to do is add a second user account on the folder or file and give full rights as like the Administrator group, which would be the User account of the user/admin that logs into the machine.

If *Beeblebrox* is the user-id that you login with as user/admin, then one adds an account named *Beeblebrox* with full rights to the file or folder, and then the problem is fixed. But that depends on if one can add *Beeblebrox* as a new user.

Because Vista is looking at one's user/admin accounts as an individual User and as the user/admin, and it also looks at the user/admin as being part of the Administrators group.
If the individual user account is not there, it defaults to Users group rights or neither one of the User or Users group matches the full rights of Administrators, then it is *access denied*.

And if one can't go to the Creator/Owner account and set permissions, because Vista is blocking the Vista user/admin account from setting any account permissions for any account on the folder or file at the graphical UI, then how is one to expect that what you're talking about is even going to work at the Command Prompt in some situations on some files or folders that are protected, like the Program Files and Windows?


I'm sorry, I've read this 4 or 5 times and still don't think I understand what it is you are trying to say. I've never mentioned the command prompt, so I don't even know where that came from, nor have I mentioned specific folders.
I can't help it if you don't understand. And I have been talking about certain folders all along, those posts you cannot read or maybe you refuse to read in the thread.

That's all I am going to say about this as time and time again recently I have given demonstrations as a test to even the most inexperienced user over there in the Security NG to help them understand what is happening.

I have been also explaining to a user as to why that batch file he was trying to use on a .NET Framework file in C:\Windows dealing GAC and assemblies was in a total lock-out state on taking ownership or setting any user account permissions, because C:\Windows itself is in a total locked out state with some pre-existing folders and files in that folder as Vista is protecting them and you CANNOT change it period.

The bottom line is, if you actually _understand_ what is happening in Vista with respect to folder ownership and permissions, which it is clear you don't yet, it is simple to make whatever permissions changes you need as an administrator user even on protected folders your user and the administrators group don't have permissions to change. Step 1: Take ownership. Step 2: Assign permissions (making sure to set them for the group Administrators, if that is what you want, rather than a particular administrator user).

And this is not correct what you are talking about on certain folders, which is what I have been talking about all along (certain folders and files in those folder), because of the simple fact that user/admin is not a full rights admin account on Vista even with UAC enabled or disabled, period.

The only account that has those full rights is the hidden built in Administrator account, which has full rights at all times.

And if the UI screen for security has it set that the user admin cannot add, update, delete an user account or even change user account permissions for existing accounts, because the buttons do not become enabled on the screen nor does the Advanced button, then it is a total lock-out, for protected folders and they are static.

Oh, I do understand about folder permissions and how to work with them as a programmer for over 12 years with MS COM, COM+ using VB6, C++, VB.Net and C#.NET for Web and Windows Desktop and Windows services technology, etc, etc.

However, I've never seen the need to do what you are aparently talking about unless your goal is to undo some of the security barriers put in place by Vista. Perhaps I'm being thick - not unheard of, that's for sure.
I have seen the need to do what I am talking about, which is simply put my logged-in user account as user/admin to match the Administrator account on the folder or file for those unprotected folders or files, which gives me ownership when I do this, because of the account permission conflict between me being a User with user right permissions and with me being an admin in the Administrators group, and the user account conflict of permissions for those two accounts on a folder or file in a folder, as me being user/admin on Vista.

I cannot help it you have not seen the condition, and one being able to use a solution as to how to come around the condition of permission conflict between accounts.

I cannot help if you have not gone into the Programs File folder some poster has posted that he CANNOT do anything with the Windows Media Player folder, because as he discovered and I discovered that one cannot do anything on the folder as far as permissions or taking ownership of files within the folder.

I cannot help it if you have not tried to come around this condition by taking the WMP folder, coping the folder to a folder that one as created where one does have the rights to manipulate permissions on the WMP folder and add a new account that would have given one the access, only to have Vista strip that account off of the folder when it was copied back to the Programs Files folder.

I cannot help it if you have not seen it, and I cannot not help it if you cannot think outside the box in problem solving, nothing against you personally.


OK, EOT. We will just have to agree to disagree.


So be it, because I have just as much experience on the NT based O/S starting with NT 3.5 and up for someone to tell me their take on things, which I am in total disagreement with the assessment of the situation in some areas. One way is NOT the only way that can be used to do things or one can't do things, and Vista is a different bird on its openness to the user than any previous version of the NT based O/S platform.
.