If you have permissioned your folders the right way and now trying to access the folders, you may notice the prompt
You can launch an elevated CMD prompt and browse to the directory without any issues.
You may wonder what is going on and when you click continue, you indeed can access the folder. You would also notice that your current logon account has been granted explicit permission on the folder/share. This particular behaviour can make a mess out of File & Folder permission if you have a large team managing the File Shares.
The warning that you received isn’t because you don’t have permissions. This is by design
Well starting with the legendary Windows Vista and later, Microsoft decide to up the ante against not so nice malwares and Trojans by introducing UAC (User Access Control). User Access Control limits program running under administrator privilege context not able to write sensitive areas like C:Windows, C: etc. thus making is more difficult for Trojans/malwares and other mischievous tools to gain an easy access to system areas even while running under administrator context.
Here is an excerpt from Microsoft KB 950934
Assume that User Account Control (UAC) is enabled, and you use Windows Explorer to access a folder for which you don’t have Read permissions. Additionally, the folder is not marked by both the Hidden and System attributes. In this situation, Windows Explorer displays a dialog box that prompts you with the following:
You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder.
You then have the option to click Continue or Cancel. (Continue is selected by default.) If you click Continue, UAC tries to obtain administrative rights on your behalf. Depending on the UAC security settings that control the behaviour of the UAC elevation prompt, and on whether you are a member of the Administrators group, you may be prompted for consent or for credentials. Or, you may not be prompted at all. If UAC can obtain administrative rights, a background process will change the permissions on the folder, and on all its subfolders and files, to grant your user account access to them. In Windows Vista and Windows Server 2008, the background process grants your user account Read and Execute permissions. In later versions of Windows, this process grants your user account Full Control.
This behaviour is by design. But because the typical pattern with UAC elevation is to run an instance of the elevated program with administrative rights, users may expect that by clicking Continue, this will generate an elevated instance of Windows Explorer and not make permanent changes to file system permissions. However, this expectation is not possible, as Windows Explorer’s design does not support the running of multiple process instances in different security contexts in an interactive user session.
Now, there are few options on how you can deal with this
- You can have a dedicated account with explicit permissions on file shares without disabling UAC.
- You can disable UAC and ensure you have a reliable Antivirus / Antimalware on the system
In my client case, second option worked better.
Disable the UAC, the right way
If you have multiple File Servers, you can create a Group Policy and assign the group policy to the OU. You can use security filtering to target the files. If you have only few File Servers, you can modify the Local Security Policies.
Logon to your server.
Start > Run > GPEdit.msc
Go to Computers > Windows Settings > Security Settings > Local Policies > Security Options
Update the following highlighted Policies to the value shown below.
You would need to restart the server for changes to take effect.
Now, you can access the folders without the UAC prompt and without having to worry about explicit ACL being permissioned to folders.
Hope this helps