Permission to access the profile of other users, redux.

John Ed 41 Reputation points

I have a question that is a followup from a post over a year ago: Permission to access the profile of other users The user profiles at C:\Users\NewUser by default will have permissions: Owner: Administrators group
Principals: SYSTEM - Full control
Administrators - Full control
NewUser - Full control
All child folders and files below have the Owner as NewUser with the same Principals and Access.

When you are logged on as an Administrator say NewAdmin (member of Administrators group) and attempt to open C:\Users\NewUser one gets the dialog: "You don't currently have permission to access this folder."

My Question is: Why doesn't NewAdmin already have access by virtue of being a member of the Adminstrators group? Also, if I hit Continue, NewAdmin user is permanently added to the list of Principals allowed Full Control. What is the logic for doing this?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,781 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,779 questions
0 comments No comments
{count} votes

Accepted answer
  1. RLWA32 40,941 Reputation points

    When UAC is enabled a member of the Administrators group is logged on with a token that does not contain Administrator privileges. Unless and until elevation is requested for this user Windows will make its access control checks based on this token. That is why access to a different user's profile is initially denied. This is the mechanism that Windows uses to provide least privilege access to users that are members of the Administrators group by default and only provide elevated privileges when needed.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful