In earlier versions of Windows, if you had files or folders with NTFS permissions assigned to the “Administrators” group (i.e., “Administrators” are allowed to edit the files but other users are not), they applied to all users in the Administrators group like you would expect. In Windows Vista and Windows 7 (with UAC enabled), a process must be elevated and be running as a user in the Administrators group to be given these permissions. This is fine when you’re dealing with stuff on your local machine… when you try to do something with a file that you need administrative permission to do, Windows just prompts you to elevate, and you may get a UAC prompt depending on your system settings.
But if you are dealing with stuff on a different machine, perhaps by Windows file sharing, there’s no way to elevate yourself. So, if you are trying to access a shared folder that only “Administrators” are allowed to access, even if you are a member of the “Administrators” group, you will not be able to access it.
The fix for this is to disable remote UAC processing. With this disabled, users in the “Administrators” group will be able to do what they have permission to do without elevating, if they are accessing the machine over the network. To do this, create the following DWORD registry value (if it does not exist already):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
Set the value data to 0 to disable remote UAC processing and to 1 to enable it.
The reason I wanted to disable remote UAC processing is so that I can access the contents of local backups created by Windows Backup on Windows 7 remotely. Windows automatically restricts access to the backup folder it creates to the “Administrators” group. Even if you change the permissions, they will be reset next time the backup runs. But I imagine that there are a number of situations where this would be helpful.
For more information, see this MSDN article.
Tags: Windows 7, Windows Vista