3

When I right click on a folder and choose properties and then Security tab, sometimes the "Edit" button does have UAC shield icon and sometimes it does not.

  • This is happening on the same machine when logged as an administrator
  • both folders (one that does give the icon and one that does not) are owned by the Administrators group
  • both folders has Full Control permission for the Administrators group.

What are possible reasons that one of this folder has the shield on the Edit button and the other does not?

This is Windows Server 2008 R2

Edit 1: The folders that I'm looking at are not "special" folders, they are created by a piece of software that I wrote, do not have any "special" attributes applied or extra registry settings "attached" to them.

Andrew Savinykh
  • 1,945

3 Answers3

5

This is determined by your current permissions on the folder.If your user or the built in users group have full permissions on the folder you can change permissions on it as normal.

If your user and the users group does not have the Full Control permission you won't be allowed to change any permissions on the folder. This is where the shield icon comes in. To be able to change the permissions you need to elevate your account to Administrator to have the necessary rights to change permissions.

You can easily try how the permissions change when the shield is displayed.

If you deny yourself write access on a folder, then when you right click it you will see the shield icon in front of the rename option.

If you deny yourself modify access on a folder, then when you right click it you will see the shield icon in front of the delete and rename options.

Paxxi
  • 7,138
  • As I explained in the question my user ins in the adminstrators group and the administrators group owns and has full access permissions to the folder still, the shield is displayed... And this is what puzzles me. – Andrew Savinykh Jun 02 '11 at 21:39
  • When UAC is turned on, even if your user is part of the admin group it will not use those permissions by default. It will use any permissions assigned directly to your user or the built in users group. If any of those does not have the needed permissions it will show the shield and let you elevate to use the permissions from the admin group your part of. – Paxxi Jun 03 '11 at 10:04
1

I'm several years late to this question, but in my case (in comparing two different installations of Windows Server 2019 VMs) the cause of this 'security shield' on NTFS permissions and some application shortcuts was caused by a local security policy setting.

Specifically, within Local Policy, Security Options, there's a setting 'User Account Control: Run all administrators in Admin Approval Mode' which was Enabled on the server that was showing the 'shield' and disabling this returned that server to my expected and desired behaviour.

Finally, in my case this server's Group Policy did not include settings for this particular part of security options, so I was able to use Local Policy, but for enterprises where Group Policy is governing all these settings, you'd likely have to look at those parent GPO settings to see where this setting is controlled.

DanielV
  • 11
0

It is all in the registry. From what I could find, it is all located somewhere deep in the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. These keys reference dlls, which change the appearance for specific, predefined directories. It is what they call "secure locations", and they were defined programmatically.

http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx http://65.55.20.224/en-us/library/dd851527.aspx

KCotreau
  • 25,557