0

On my Windows 7 PC i have one Admin Account and one User Account. I want to deny access to the User Account, so i right click on the folder, go to security tab, select the user, click on edit and deny Full Control or just reading of the Folder to that specific user. Now when i want to access the folder from the User Account i have to give the Admin Account Password to proceed but the problem is that after that i get a message you must use the security tab to gain access. Why is this ? How can i set the permissions so that after i give the password i can have the full access to the folder ? Or is this the way File & Folder permission work in general ?

The problem might be also that i don't know how File & Folder permission works, but i imagine that if i set the permission of a Folder to deny access to a User Account, that User will have to give the Admin password to be able to view the content of the Folder. So i don't understand why after giving the password i get the message you must use the security tab to gain access.

My User Account has not the permission to view the Folder. My Admin Account (SuperUser) has the Full Acess
Folder Permission Settings

This is the message i get after i give my Admin Password
you must use the security tab to gain access

Improve this question
2
  • What permissions do the everyone and / or users group have?
    – Austin T French
    Commented Jul 5, 2013 at 1:09
  • @AthomSfere how/where can i check the permission of everyone and users group ?
    – Devid
    Commented Jul 5, 2013 at 8:38

2 Answers 2

Reset to default
1

Windows is always going to use the Least Privileged Access model for access requests. So from what I can gather now, you have an inheritance structure that explicitly denies your user access to a folder.

Windows sees essentially: You are denied, because of the denied group

It does not matter how you nest or obfuscate the deny group, Windows will deny the user based off of the Least Privilege assigned.

I believe the problem you are seeing, is a byproduct of this. When you attempt to open the folder it should give a flat deny (Odd that it prompts...?).

But even after you enter the administrator account, you are still running explorer as the User and not the administrator.

In Linux you can do something similar to what you are expecting with Sudo, but Windows UAC is not SUDO despite some operational similarities it does treat token and access differently.

Possible Solutions

  • Disable UAC
  • Change your Deny access settings to blank.
Improve this answer
3
  • So that means this is not something happening just to me, but it is generally how Folder and Files permission works in Windows 7 OS. But i just don't see how this could be useful and why anyone should use it. I don't even understand why is it then prompting me to give a password when the access afterwards will be also denied. This implementation just does not make any sense! If i wanted to do it this way i could also just encrypt the file or folder.
    – Devid
    Commented Jul 5, 2013 at 18:13
  • 1
    It sounds like you are going against the grain of the Windows security model, so I would expect failures. You could probably gain access through an elevated command prompt. Otherwise, use no permissions (No checks) to deny for your user unless you need them completely out, regardless of any other circumstances
    – Austin T French
    Commented Jul 5, 2013 at 18:26
  • But this is now interesting if I right click on the folder and then go to security tab, click on edit and delete the User Account, which would be in my case Devid (Picture above), I get exactly what i want. The User Account Devid can access the folder after the Admin Password and no message like the one before appears. But after a successful access to the folder under a User Account i have to delete again that User Account from the security tab to achieve the same effect. @AthomSafe thanks for the elevated command i totally forgot about that.
    – Devid
    Commented Jul 5, 2013 at 19:23
0

If I right click on the folder and then go to security tab, click on edit and delete the User Account to which i would like to restrict access, I get exactly what i want. The User Account can access the folder after the Admin Password and no message like the one before appears. But after a successful access to the folder under a User Account i have repeat again the steps. @AthomSafe thanks for the elevated command i totally forgot about that.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .