Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1 (Edited)
Hi guys

I got a question hoping someone can help me out with some info.
We switched to Win7 recently and have serious trouble with user rights management.

I am not admin but standard user on my workstation - that's why I cannot access any folders on C:\ (cannot even delete shortcuts on my desktop created by the admin)...

For several reasons I need access on C:\ - not necessarily on the Windows folder (maybe fonts) because I do not want to install software - but at least on all Programs folders and subfolders on C:\.

My IT guys tell me this is not possible under Win7 anymore - i have to choose specific folders. This is not acceptable for me...because I cannot predict that and want to avoid unnecessary workload...

Can anybody proof that there is definitely no possibility to manage user rights for standard users under Win7 to gain full access on all (sub-)folders on C:\ except the windows folder


Thank you so much for help!

cheers
ral


BTW: Using Win7 Enterprise Edition
 

·
Registered
Joined
·
3 Posts
Discussion Starter #3
Well - obviously that would be the easiest way =))
But I can understand the IT Dep. that they do want to have at least a minimum amount of control of the machines they are responsible for. Therefore they don't want to give the permission rights to operators to install software that is not approved by IT. Ok for me.

But I don't want to be that dependent having to call an Admin each time a operator needs to copy e.g. API code or a plugIn to a program folder or just needs to install a font type.
That's annoying and definitely not efficient. That's why I try to find a solution that works for both IT & me...
 

·
Visiting BSOD Expert, Microsoft Support Team
Joined
·
781 Posts
The problem with Vista+ (for standard user access) is that not only is the system protected by Access Control Lists (ACLs) that say what a user can and cannot access, but there is also the concept of "integrity" that determines how much trust the system puts in you. The root of a volume is a "high integrity" location, so only admins have write access there - regular users only have read, even if their ACLs allow them write access. Without both rights and trust, you can't do certain things as a regular user.

Your IT department is partly correct, writing to the root of a volume is not possible on Win7 *by default*, but the integrity could be modified to allow it. However, this would drastically reduce the many protections enforced on the disk by the integrity controls, and as such this shouldn't be done. If a user needs a font, this would be considered "administering" the machine, and admin access should be used to do so (and it is required to do so, anyway). Also, writing to the Windows directory, or Program Files, or the registry by an application running is *bad* development practice, and this is the sort of thing UAC and system security is meant to break, on purpose. Write an app that stores it's data in user-writable locations, or the \Public\ user folder if it needs to be handled by all users. Program Files, ProgramData, the Windows directory, the HKLM registry locations, etc. should not be "writable" locations during normal operations.

If users really do need to change things on their systems that often, a good workaround is to provide a user with 2 accounts that they can log onto the machine with - one admin account, and one standard user account. The user uses their standard user account for all "work", and fast-user switches to their logged on account with admin privileges if they need to make admin changes to the machine. This allows users to make changes as necessary, but still has them logging on with least privilege to do day-to-day work and allows the system to stay protected.
 

·
Registered
Joined
·
3 Posts
Discussion Starter #5
Thanks a lot for your fast and precise info brightening up my limited Win7 knowledge!

:wink:
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top