I have a question that is a followup from a post over a year ago: Permission to access the profile of other users The user profiles at C:\Users\NewUser by default will have permissions: Owner: Administrators group Principals: SYSTEM - Full control Administrators - Full control NewUser - Full control All child folders and files below have the Owner as NewUser with the same Principals and Access. When you are logged on as an Administrator say NewAdmin (member of Administrators group) and attempt to open C:\Users\NewUser one gets the dialog: "You don't currently have permission to access this folder." My Question is: Why doesn't NewAdmin already have access by virtue of being a member of the Adminstrators group? Also, if I hit Continue, NewAdmin user is permanently added to the list of Principals allowed Full Control. What is the logic for doing this?

When UAC is enabled a member of the Administrators group is logged on with a token that does not contain Administrator privileges. Unless and until elevation is requested for this user Windows will make its access control checks based on this token. That is why access to a different user's profile is initially denied. This is the mechanism that Windows uses to provide least privilege access to users that are members of the Administrators group by default and only provide elevated privileges when needed.

Permission to access the profile of other users, redux.

Accepted answer

RLWA32 43,381 Reputation points

2023-04-07T19:52:27.74+00:00

When UAC is enabled a member of the Administrators group is logged on with a token that does not contain Administrator privileges. Unless and until elevation is requested for this user Windows will make its access control checks based on this token. That is why access to a different user's profile is initially denied. This is the mechanism that Windows uses to provide least privilege access to users that are members of the Administrators group by default and only provide elevated privileges when needed.
Please sign in to rate this answer.

1 person found this answer helpful.
John Ed 41 Reputation points

2023-04-07T20:48:32.33+00:00

Thank you! That helps me understand. Do you have an explanation about the second behavior? Once the member of the administrators group has been elevated and has administrator privileges, Why does Windows add the user permanently to the list of Principals? That seems to violate the principle of "elevated privileges when needed." Once I've performed the task, and log out, those elevated privileges should end. Am I correct that the elevating token will be invalid once the NewAdmin user logs off? But the NewAdmin as a Principle with Full Control will remain.

John Ed 41 Reputation points

2023-04-07T21:07:07.07+00:00

Comment posted in error..

RLWA32 43,381 Reputation points

2023-04-07T22:26:43.0766667+00:00

Why does Windows add the user permanently to the list of Principals?

Remember, the token for the NewAdmin account is a Standard User without Administrator privileges when access to a different user's profile is attempted. When you click "Continue" Windows adds the NewAdmin account and permissions to the discretionary access control list of the folder's security descriptor because its treating NewAdmin as a Standard User.
Yes, the changes that Windows makes to the security descriptor are persistent unless you subsequently change them. However, the permissions which give NewAdmin access to the other user's profile folders in the file system are not the same as elevated privileges in a user's token when running as an Administrator. File Explorer does not run as an elevated process. Since NewAdmin is a member of the Administrators group File Explorer can temporarily self-elevate in order to make the requested change. If a Standard User was logged on and the same thing was attempted then upon clicking "Continue" UAC would prompt for an Administrator's credentials. An important point to remember is that when you click "Continue" the access control change will be propagated throughout the folder tree which may not be what you really want. If NewAdmin wants to temporarily access a different user's profile folders it can start a copy of notepad as Administrator. This elevated notepad process can use notepad's File | Open dialog to browse the file system, including the other user's profile folders.

John Ed 41 Reputation points

2023-04-11T20:59:52.23+00:00

Thank you very much for that excellent explanation! That adds to my understanding of Windows security. Yes, having the Access Control change propagated down the tree is usually what I don't want in that situation. Thanks for the method that can avoid that!
Sign in to comment

Share via

Permission to access the profile of other users, redux.

0 additional answers