1

(Skip to the bottom for the TLDR version.)

OK - so I have searched (really!) and all other UAC articles I have found seem to center on enabling, disabling, detecting or hiding UAC. My issue is not one of those, so here goes:

My user used to have the standard dual-token setup where I was in the Administrators group and the UAC's Consent UI would just ask me if I wanted to proceed. Now, we have separate administrative-level accounts that we need to use, and I have to authenticate with this new user. The problem I am having is that previously, starting an app as Administrator just elevated my current user, where now if I use the credentials of the new administrative user, whatever I am running runs AS that new user.

As an example, previously elevating CMD and typing whoami into the command prompt used to return my normal/current user, where it now returns the new administrative user.

This has serious negative consequences - since this is a new user, and an Administrative-level one, if any files are created using this new user, my normal user cannot write to or delete them unless I manually adjust permissions and ownership. If I use my development environment under the new account (e.g. I need to debug a service or work with a driver) and rebuild something, I end up with a bunch of files that I cannot manipulate unless I am an administrator. Likewise if I add a file while running as this new account - my SCM tool will not be able to update that file later unless it also runs under this new administrative account.

Also, Since a profile is associated with this user, things run under a completely different environment (different %USERNAME%, %USERPROFILE%, %LOCALAPPDATA%, etc.)

Installing an application will also work incorrectly if it is installed just for the current user (e.g. the "Just Me" option), instead of for all users. Things that are licensed to/in my normal user account also fail to function if run under the new account, because things are running as that new user.

The ripple effects of this change are getting larger and larger the more I work with it. So...

[TLDR] Is there a way to get temporary elevation of the current user without that user having the normal dual-token setup you get from being in the Administrative group? Or are you stuck with the impersonation behavior?

James R. Twine
  • 39
  • 5
  • No, since the standard user account does not have administrative privileges there is no split token associated with that account. However, it should be possible to change the permissions on the folder(s) you work in so that your account (rather than just CREATOR OWNER) is given access permission to new files by default. – Harry Johnston Apr 22 '15 at 22:14
  • When you're in the role of administrator it should just be to install and configure software and file permissions to allow yourself to work as the regular user. You shouldn't be using the administrator account to get real work done. Also, if a "just me" installation requires elevation, I'd say it's broken. But I never install software for "just me" anyway, so what do I know. – Eryk Sun Apr 23 '15 at 01:42
  • @eryksun - you are correct for the most part, and normal everyday users will likely work just fine under this scenario. However, I am not a "normal everyday user" and there are things that I do, every day, that require administrative access to get real work done. Remember that I am not asking if I should be using the Administrative account, I am asking how to get elevation working again, if possible. – James R. Twine Apr 23 '15 at 13:59
  • @HarryJohnston - thanks for the response. I had a feeling that this was no longer possible due to the changes made. I am working with our I.T. department to correct this problem. – James R. Twine Apr 23 '15 at 14:02
  • Default permissions on new files are (usually) based on the permissions of the folder they are created in, not on which account created the files. The creating account determines the ownership of the file, but not the permissions - the special case being permissions granted to "CREATOR OWNER". So adding your account to the permissions on the directories (with inheritance enabled, of course) really should work. – Harry Johnston Apr 23 '15 at 20:36
  • When you're logged in to the administrator account, can you add your regular account to the local Administrators group (e.g. `net localgroup Administrators [user]`)? – Eryk Sun Apr 23 '15 at 22:33
  • Yes, we could have added ourselves to the Admin group, but we were specifically asked not to perform certain actions while using the admin account, and that was one of them. So in the interest of being honest... In the end, we were able to convince I.T. of their error and have since gotten reverted back to the original dual-token setup. – James R. Twine Jun 12 '15 at 16:45

0 Answers0