Sunday, 28 April 2019

windows 10 - File permissions "Administrators: Full Control". Why isn't it always sufficient?

Consider the following situation.


Let's say I have two interactive local user accounts registered on my machine: Admin (member of Administrators group) and Alice (member of Users group). Let's say on my hard drive I have a folder Test with the following security settings:


Owner : Alice
Permissions:
System : Full Control
Administrators: Full Control
Alice : Full Control

Now, if I log in under Admin account and attempt to open the folder Test, Windows will initially refuse to do so. It will display a message box saying


"You don't currently have permissions to access this folder"

My first question is: why? I'm logged in as Admin - a member of Administrators group - and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?


Now, the aforementioned message box will also offer me the opportunity to "Click Continue to permanently get access to this folder". If I click "Continue", I'll be allowed to open folder Test. And, as a consequence of that, the security settings of Test will change to


Owner : Alice
Permissions:
System : Full Control
Administrators: Full Control
Alice : Full Control
Admin : Full Control

As you can see, Windows automatically added an extra entry Admin: Full Control to the list. After that I will be able to access Test without any restrictions. However, the above set of security permissions seems to be redundant to me. It already included Administrators: Full Control entry from the very beginning. Why wasn't that sufficient?


So, my second question is: why would Windows need an extra Admin: Full Control entry to finally give Admin that "full control".


What is the formal logic behind this behavior?




Some clarifications


Note, this question is not about my Admin account not being "all-powerful Administrator that can do whatever he wants". I don't expect my Admin account to be all-powerful at all. In fact, at the most basic level I don't care about any special rights of my Admin account. It is just some account that belongs to some group.


My question is about file system access rights granted through group membership.


Consider another example. Let's say I created some random user group called Ugly Ducklings. And I added regular users Alice and Bob to the Ugly Ducklings group.


Then I create folder DucklingTest with the following permissions


Owner : Alice
Permissions:
Ugly Ducklings : Full Control

Now, if I log in as Bob I will indeed have full control over DucklingTest folder (!).


Why?


Is my Bob an all-powerful administrator? No. Is my Bob privileged in any way? No. Do I have to "elevate" Bob somehow, to perform access to DucklingTest? No.


So, why does Bob have full control over DucklingTest folder?


Easy. Bob has full control over DucklingTest folder because Bob is a member of Ugly Ducklings group and Ugly Ducklings group has been granted full control permissions over DucklingTest. End of story.


How come the same logic does not apply to Admin and Administrators? Admin is a member of Administrators group and Administrators group has been granted full control permissions over Test folder. What's missing here? What kind of extra "control" Windows is trying to enforce in this case by imposing what looks like extra restrictions on members of Administrators group?

No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...