Re: For those of you who have disabled UAC while using user/admin, you don't have full admin rights -- <VBG>!


"Paul Montgumdrop" <Paul@xxxxxxxxxxxxxxx> wrote in message
news:%23zwmN$KJJHA.5656@xxxxxxxxxxxxxxxxxxxxxxx
Zaphod Beeblebrox wrote:
"Paul Montgumdrop" <Paul@xxxxxxxxxxxxxxx> wrote in message
news:e9jVpmAJJHA.5900@xxxxxxxxxxxxxxxxxxxxxxx
Zaphod Beeblebrox wrote:
"Paul Montgumdrop" <Paul@xxxxxxxxxxxxxxx> wrote in message
news:%2391CKh9IJHA.1556@xxxxxxxxxxxxxxxxxxxxxxx
Zaphod Beeblebrox wrote:
You explaine that to me. Why can't I do it as user/admin.
See above. In Vista, an admin user doesn't have permissions to
do everything they did in previous verions of Windows, but still
has the ability to take ownership and change permissions. You'll
have to be a bit more specific for me to be able to comment
further. Unless of course you already have, and don't want to
repeat yourself.

The rest of what you have talked about before this about the
block, I could care less about it.

And I have said all of this above there. And I am also saying that
even if you take ownership in some situations, you're still going
to get *access denied*.
Right, and then you set permisssions on the object (because as the
owner of the object, you have the ability to do that), and all is
well.

Because if it was the case as you indicate when someone takes
ownership then the problems should be resolved. Sometimes that
fixes it and sometimes that does not fix the problem, taking
ownership, because I have seen the posts.
As I said, taking ownership by itself does not necessarily fix
permissions problems. Often, you have to set the permissions after
taking ownership of the object. I've never seen it fail when done
that way, unless it wasn't done properly (and then, doing it
properly fixes it).

Really, all one has to do is add a second user account on the folder
or file and give full rights as like the Administrator group, which
would be the User account of the user/admin that logs into the
machine.

If *Beeblebrox* is the user-id that you login with as user/admin,
then one adds an account named *Beeblebrox* with full rights to the
file or folder, and then the problem is fixed. But that depends on
if one can add *Beeblebrox* as a new user.

Because Vista is looking at one's user/admin accounts as an
individual User and as the user/admin, and it also looks at the
user/admin as being part of the Administrators group.

If the individual user account is not there, it defaults to Users
group rights or neither one of the User or Users group matches the
full rights of Administrators, then it is *access denied*.

And if one can't go to the Creator/Owner account and set
permissions, because Vista is blocking the Vista user/admin account
from setting any account permissions for any account on the folder
or file at the graphical UI, then how is one to expect that what
you're talking about is even going to work at the Command Prompt in
some situations on some files or folders that are protected, like
the Program Files and Windows?


I'm sorry, I've read this 4 or 5 times and still don't think I
understand what it is you are trying to say. I've never mentioned
the command prompt, so I don't even know where that came from, nor
have I mentioned specific folders.

I can't help it if you don't understand. And I have been talking about
certain folders all along, those posts you cannot read or maybe you
refuse to read in the thread.

That's all I am going to say about this as time and time again
recently I have given demonstrations as a test to even the most
inexperienced user over there in the Security NG to help them
understand what is happening.

I have been also explaining to a user as to why that batch file he was
trying to use on a .NET Framework file in C:\Windows dealing GAC and
assemblies was in a total lock-out state on taking ownership or
setting any user account permissions, because C:\Windows itself is in
a total locked out state with some pre-existing folders and files in
that folder as Vista is protecting them and you CANNOT change it
period.


The bottom line is, if you actually _understand_ what is happening in
Vista with respect to folder ownership and permissions, which it is
clear you don't yet, it is simple to make whatever permissions
changes you need as an administrator user even on protected folders
your user and the administrators group don't have permissions to
change. Step 1: Take ownership. Step 2: Assign permissions (making
sure to set them for the group Administrators, if that is what you
want, rather than a particular administrator user).


And this is not correct what you are talking about on certain folders,
which is what I have been talking about all along (certain folders and
files in those folder), because of the simple fact that user/admin is
not a full rights admin account on Vista even with UAC enabled or
disabled, period.

The only account that has those full rights is the hidden built in
Administrator account, which has full rights at all times.

And if the UI screen for security has it set that the user admin
cannot add, update, delete an user account or even change user account
permissions for existing accounts, because the buttons do not become
enabled on the screen nor does the Advanced button, then it is a total
lock-out, for protected folders and they are static.

Oh, I do understand about folder permissions and how to work with them
as a programmer for over 12 years with MS COM, COM+ using VB6, C++,
VB.Net and C#.NET for Web and Windows Desktop and Windows services
technology, etc, etc.

However, I've never seen the need to do what you are aparently
talking about unless your goal is to undo some of the security
barriers put in place by Vista. Perhaps I'm being thick - not
unheard of, that's for sure.

I have seen the need to do what I am talking about, which is simply
put my logged-in user account as user/admin to match the Administrator
account on the folder or file for those unprotected folders or files,
which gives me ownership when I do this, because of the account
permission conflict between me being a User with user right
permissions and with me being an admin in the Administrators group,
and the user account conflict of permissions for those two accounts on
a folder or file in a folder, as me being user/admin on Vista.

I cannot help it you have not seen the condition, and one being able
to use a solution as to how to come around the condition of permission
conflict between accounts.

I cannot help if you have not gone into the Programs File folder some
poster has posted that he CANNOT do anything with the Windows Media
Player folder, because as he discovered and I discovered that one
cannot do anything on the folder as far as permissions or taking
ownership of files within the folder.

I cannot help it if you have not tried to come around this condition
by taking the WMP folder, coping the folder to a folder that one as
created where one does have the rights to manipulate permissions on
the WMP folder and add a new account that would have given one the
access, only to have Vista strip that account off of the folder when
it was copied back to the Programs Files folder.

I cannot help it if you have not seen it, and I cannot not help it if
you cannot think outside the box in problem solving, nothing against
you personally.


OK, EOT. We will just have to agree to disagree.

--
Zaphod

Arthur: All my life I've had this strange feeling that there's something
big and sinister going on in the world.
Slartibartfast: No, that's perfectly normal paranoia. Everyone in the
universe gets that.


.