SOLVED

NTFS confusion: basic permissions not working

%3CLINGO-SUB%20id%3D%22lingo-sub-1521902%22%20slang%3D%22en-US%22%3ENTFS%20confusion%3A%20basic%20permissions%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521902%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all.%26nbsp%3B%20This%20is%20a%20bit%20of%20a%20redundant%20post%20but%20I%20have%20new%20info%2C%20and%20also%20realized%20the%20Win%2010%20security%20forum%20doesn't%20have%20a%20lot%20of%20visibility%20so%20here%20goes%20in%20the%20main%20forum%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20new%20Win%2010%20Pro%20machine%2C%20not%20much%20done%20with%20it%20yet%20except%20to%20create%20a%20handful%20of%20users%20and%20one%20test%20folder.%26nbsp%3B%20I%20intend%20to%20set%20this%20machine%20as%20a%20file%20share%20server%20for%206%20people.%26nbsp%3B%20I've%20found%20that%20if%20I%20edit%20folder%20permissions%20such%20that%20only%20SYSTEM%20and%20the%20Administrators%20group%20have%20any%20access%20(that%20is%2C%20created%20a%20new%20folder%20and%20removed%20Users%20and%20Authenticated%20Users%20groups%20entirely)%2C%20I%20cannot%20get%20into%20this%20folder%20without%20being%20prompted%20with%20the%20Continue%2FCancel%20dialog%20box%20saying%20I%20don't%20have%20permissions%2C%20would%20I%20like%20to%20permanently%20add%20myself%20to%20have%20access.%26nbsp%3B%20Clicking%20Continue%20then%20explicitly%20puts%20my%20user%20(which%20is%20in%20the%20Administrators%20group)%20with%20Full%20Control%20on%20this%20folder.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20Disabled%20inheritance%20on%20this%20folder%2C%20as%20it%20is%20my%20intent%20to%20eventually%20have%20various%20subfolders%20that%20only%20certain%20users%20can%20access.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20also%20really%20need%20to%20avoid%20situations%20where%20people%20have%20to%20be%20prompted%20to%20gain%20access%20to%20folders.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFurther%2C%20I%20will%20have%20a%20top-level%20folder%20for%20example%20that%20somebody%20can%20browse%20to%2C%20but%20only%20be%20able%20to%20access%20certain%20subfolders%20therein%2C%20and%20not%20have%20any%20ability%20to%20even%20view%20the%20contents%20of%20other%20subfolders%20inside.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20not%20an%20AD%20environment%2C%20so%20it's%20all%20basic%20shares%20stuff%2C%20though%20right%20now%20I%22m%20just%20testing%20locally%20so%20it's%20NTFS%20stuff%20for%20now%2C%20no%20Shares%20created%20yet.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Server%202008%20R2%20I%20have%20no%20problems%20with%20this%2C%20I%20can%20remove%20Users%20and%20Authenticated%20Users%20from%20permissions%20on%20a%20folder%2C%20leaving%20only%20the%20Administrators%20group%20and%20the%20System%20user%2C%20and%20then%20just%20add%20one%20user%20to%20this%20folder%20giving%20them%20Modify%20and%20below%2C%20no%20issues.%26nbsp%3B%20But%20on%20Win%2010%2C%20it%20seems%20the%20only%20way%20to%20make%20this%20work%20is%20to%20also%20have%20another%20group%20ther%2C%20like%20Everyone%20or%20Authenticated%20Users.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBottom%20line%3A%26nbsp%3B%20why%20isn't%20just%20having%20my%20account%2C%20which%20is%20in%20the%20Administrators%20group)%20as%20the%20only%20group%20allowed%20to%20access%20the%20folder%2C%20not%20enough%20to%20let%20me%20access%20the%20folder%20without%20explicitly%20having%20to%20add%20my%20user%20account%20or%20one%20of%20the%20other%20groups%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20real%20pain%20to%20type%20out%2C%20sorry%20for%20the%20wordiness.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521980%22%20slang%3D%22en-US%22%3ERe%3A%20NTFS%20confusion%3A%20basic%20permissions%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521980%22%20slang%3D%22en-US%22%3EI%20came%20across%20a%20forum%20post%20at%20superuser%20dot%20com.%20The%20poster%20nailed%20the%20question%20perfectly.%20The%20answers%2C%20I'm%20still%20reading%20through.%20They%20are%20god-awfully%20wordy%20and%20circular%20but%20I'm%20sort%20of%20getting%20the%20picture%20here%2C%20something%20along%20the%20lines%20of%3A%20simply%20being%20in%20the%20Administrators%20group%20does%20not%20make%20life%20easy.%20You%20have%20to%20be%20the%20Administrator%20user%20(disabled%20by%20default)%20to%20bypass%20all%20the%20hassles%20of%20UAC%20or%20whatever.%20I%20still%20don't%20have%20a%20solid%20understanding%20of%20this%2C%20but%2C%20at%20least%20it%20tells%20me%20my%20problems%20will%20just%20be%20restricted%20to%20me%2C%20the%20logged-in%20admin%20trying%20to%20set%20up%20these%20folders.%20The%20users%20themselves%20will%20experience%20things%20based%20on%20the%20permissions%20I%20set%2C%20same%20as%20has%20been%20the%20way%20for%20years%20in%20all%20versions%20of%20Windows%2C%20basically.%20I'll%20have%20to%20test%20this%20out%2C%20but%20my%20main%20concern%20is%20alleviated%2C%20that%20users%20willbe%20hassled%20about%20folder%20access%20constantly%2C%20despite%20being%20given%20permissions.%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20still%20keen%20to%20hear%20from%20anyone%20that%20can%20give%20insight%20on%20all%20this%20though.%20Here's%20the%20link%20I%20menbtioned%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsuperuser.com%2Fquestions%2F1006655%2Ffile-permissions-administrators-full-control-why-isnt-it-always-sufficient%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsuperuser.com%2Fquestions%2F1006655%2Ffile-permissions-administrators-full-control-why-isnt-it-always-sufficient%3C%2FA%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi all.  This is a bit of a redundant post but I have new info, and also realized the Win 10 security forum doesn't have a lot of visibility so here goes in the main forum: 

 

A new Win 10 Pro machine, not much done with it yet except to create a handful of users and one test folder.  I intend to set this machine as a file share server for 6 people.  I've found that if I edit folder permissions such that only SYSTEM and the Administrators group have any access (that is, created a new folder and removed Users and Authenticated Users groups entirely), I cannot get into this folder without being prompted with the Continue/Cancel dialog box saying I don't have permissions, would I like to permanently add myself to have access.  Clicking Continue then explicitly puts my user (which is in the Administrators group) with Full Control on this folder.  

 

I have Disabled inheritance on this folder, as it is my intent to eventually have various subfolders that only certain users can access.  

 

But I also really need to avoid situations where people have to be prompted to gain access to folders.  

 

Further, I will have a top-level folder for example that somebody can browse to, but only be able to access certain subfolders therein, and not have any ability to even view the contents of other subfolders inside.  

 

This is not an AD environment, so it's all basic shares stuff, though right now I"m just testing locally so it's NTFS stuff for now, no Shares created yet.  

 

In Server 2008 R2 I have no problems with this, I can remove Users and Authenticated Users from permissions on a folder, leaving only the Administrators group and the System user, and then just add one user to this folder giving them Modify and below, no issues.  But on Win 10, it seems the only way to make this work is to also have another group ther, like Everyone or Authenticated Users.  

 

Bottom line:  why isn't just having my account, which is in the Administrators group) as the only group allowed to access the folder, not enough to let me access the folder without explicitly having to add my user account or one of the other groups? 

 

This is a real pain to type out, sorry for the wordiness.  

 

1 Reply
Highlighted
Best Response confirmed by ViProCon (Contributor)
Solution
I came across a forum post at superuser dot com. The poster nailed the question perfectly. The answers, I'm still reading through. They are god-awfully wordy and circular but I'm sort of getting the picture here, something along the lines of: simply being in the Administrators group does not make life easy. You have to be the Administrator user (disabled by default) to bypass all the hassles of UAC or whatever. I still don't have a solid understanding of this, but, at least it tells me my problems will just be restricted to me, the logged-in admin trying to set up these folders. The users themselves will experience things based on the permissions I set, same as has been the way for years in all versions of Windows, basically. I'll have to test this out, but my main concern is alleviated, that users willbe hassled about folder access constantly, despite being given permissions.

I'm still keen to hear from anyone that can give insight on all this though. Here's the link I menbtioned:

https://superuser.com/questions/1006655/file-permissions-administrators-full-control-why-isnt-it-alw...