Sharing and Security permissions for domain and local users and groups

Question

I believe I am dealing with a knowledge gap. I think I understand this about 80% but apparently that is not enough. Questions like this have plagued me for a long time. I will try to be a clear as possible. Server OS Windows 2003 R2 Standard SP2. Desktop OS Windows 7 Pro SP1 and some Windows XP Pro SP3.

So I have a domain called DOM1. In the domain I have a user named Ralph. Ralph is in the Domain Admins group and the Domain Users group. I have a workstation named MY-WS. This workstation is part of the DOM1 domain. I am logged into MY-WS as Dom1\Ralph. I have added the DOM1 Domain Admins group to the builtin Administrators group on MY-WS. For the time being, I don't care about any local users or groups on MY-WS. I create a folder on the desktop (don't think it matters where) and remove inheritance and remove all but the Local Administrators group from the Security tab and confirm that the Local Administrators group has Full Control permissions on that folder. I can do the same thing with the Sharing tab with similar results.

That's pretty much all I need to ask my questions. My understanding is that any user in the local Administrators group has unlimited control of that workstation. I also thought that if a user was a member of a group, then adding the group was the same as adding the user. Not sure if it has anything to do with Domain vs. Local groups and users. When I try to open the folder I get the following popup (image 1). You don't currently have permission to access this folder. click continue to permanently get access to this folder. If I reply Cancel, nothing happens and I cannot access the folder. If I reply Continue, I get access to the folder and when I check the Security tab on the folder again, DOM1\Ralph has been added with Full Control. That's the part I don't understand. I was always told to use groups and not users for things like this, so if the people change or you want to add or remove access for individuals it is much less of a logistical nightmare.

There are many other examples like this, but I have a feeling that when one of you more learned people read this you will go "Ohhhhhh, Yeah, Of course it does and this is why". Anyway, thought I would give this a shot. Thanks a bunch in advance for your help and cooperation.

Answer 1

The trick here is User Account Control. Every program runs under a user account, but more specifically a token. Every token contains a security identifier (SID, basically a user ID), a list of groups the user is a member of, and which privileges are enabled at the moment. UAC makes sure that certain group memberships aren't active all the time; this protects the machine from accidental administrative action (say, from a Trojan horse). Run whoami /all to see the full contents of a token.

If you run that command as an admin from an unelevated command prompt, you'll see that you are a member of the local Administrators group, but that membership is "used for deny only" - programs running under that token don't actually have administrative power. The Domain Admins group as well as a couple other important ones (e.g. Backup Operators) are subject to this check. "Allow" ACL entries that refer to these groups won't apply unless the user is elevated. (Try whoami /all on an admin prompt - all group memberships and a host of privileges are enabled.)

When you take control of a folder, you use your administrative SeRestorePrivilege ("Restore files and directories", which lets you write anything including ACLs to any file) to add a Full Control "allow" entry for your account to the ACL. Since your SID is never subject to UAC token stripping, all programs running as you will be able to exercise that control.

Had you attempted to access that folder (before adding the specific ACE) with an elevated program - say, explorer.exe running as admin or an admin prompt - you would have been successful. Disabling UAC (not recommended) would result in all programs running as you having all your access all the time.