Search This Blog

Sep 9, 2011

UAC Access Control - Cannot edit files under SYSVOL folder

Here's a case can cause some 'headache' and then the solution looks like to obvious.

S: (Subjective)
Cannot edit file under SYSVOL folder when we try edit and then save we receive the message "Access is denied"

A: (Assessment)

    - We collected Proc Monitor during the issue to check if there's a ACCESS DENIED
    13:15:02,2679947    Notepad.exe    10760    CreateFile    D:\Windows\SYSVOL\domain\scripts\filetest.vbs    ACCESS DENIED    Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0
    - The ACCESS DENIED exist and obvious we will look at the issue under User Account.
    - All tests regarding user account was done. And even so we cannot edit the file.
    - The test to really check and verify the issue was run the Command Prompt as Administrator.
    - Then we ran notepad "D:\Windows\SYSVOL\domain\scripts\test.txt".
    - We can edit and save it properly.
    - This issue is related to UAC "User Account Control: Run all administrators in Admin Approval Mode" = ENABLED
    - Articles:
    User Account Control: Run all administrators in Admin Approval Moe
    Two possible values:
     Enabled—Both administrators and standard users are prompted when attempting to perform administrative operations. The prompt style is dependent on policy.
     Disabled—UAC is essentially "turned off" and the Application Information Service (AIS) service is disabled from automatically starting. The Windows Security Center also notifies the logged on user that the overall security of the operating system has been reduced and gives the user the ability to self-enable UAC.
    Note :Changing this setting requires a system restart.
    - Keep in mind the Admin Approval Mode (AAM) is a UAC configuration in which a split user access token is created for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. Without AAM, an administrator account receives only one access token, which grants that administrator access to all Windows resources.
    -  In this case if the policy is ENABLED the token will split and the Standard User will be loaded on the Windows Server 2008.
    - The correct way to edit the script logged on DC is execute the Command Prompt with option "Run as Administrator" and type the command to edit (notepad.exe)

No comments:

Post a Comment