Issue with gaining permanent admin rights under standard user account.

Discussion in 'Windows 8' started by qofbored, Dec 25, 2013.

  1. qofbored

    qofbored MDL Novice

    Feb 6, 2013
    19
    3
    0
    #1 qofbored, Dec 25, 2013
    Last edited: Dec 28, 2013
    Hi,
    I have this problem on my pc and I've had it before on other machines running Win8 as well.
    It's when I'm working under my regular user account (no admin privileges) and when I need to browse some files in my admin user folder, I navigate there and after being prompted for my admin password I gain access to the directory. So far so good.

    But from then on, Windows always grants me access to the entire admin folder without asking for the password ever again. So even after I have logged out of my working user account, after having rebooted the machine or had it shut off, it just never prompts again and the admin directory stays accessible through the regular user account forever. Which sucks, imo it should not do that.

    I have no idea why this is designed in such a way (unsafe) and I don't know where to begin trying to fix it.
    I just want permission on a per-session basis when I incidentally need a file from the admin folder, so I prefer the privileges to expire after a single explorer session which had prompted for the password to begin with.
    The two accounts have different passwords. Also, UAC still always prompts for admin password when executing files As Administrator.

    My question, How can I make Windows not remember these credentials from browsing in the folders?


    Update: When I do 'net user admin' it says "Password required No", where for my regular user account it says Yes.
    Not sure if this means anything but it seems suspicious. When I go to log-on with admin account, Windows does require my password for it.

    Also, admin folder properties show obvious reason why I am granted access. (attachment) So I know how to remove the credentials from memory, but the problem is not fixed there because next time it will just remember them again.

    Also, my Users group shows some suspicious entries of which I doubt should even be there. See screenshot...

    Clipboard01.jpg folder properties.jpg user group.jpg

    If someone knows anything about this please let me know.
     

    Attached Files:

  2. BigW

    BigW MDL Member

    Apr 25, 2010
    198
    53
    10
    Thats a registry setting special to your "admin" user. In GroupPolicies you can set this setting to yes and every user has to have a password (default setting in an AD-Domain, on a normal client OS not) You somehow managed (possibily through various "tutorials" or similar advices) to set this property to yes on your normal user "db". This setting only says that if its setted to yes you will always need to have an password on your user. Nothing else and has noghting to do with accessing folders you normaly shouldn't access through your normal user account.

    No, your second picture doesn't realy shows us which accessrights your normal user "db" has to the "C:\Users\admin". It only shows us that the "SYSTEM" user has all available accessrights. You also can't revoke accessrights to a certain user as this user. Try this beeing logged in as the "admin" user. In Windows you can realy have a very fine grained system of accessrgihts (read, write, fullControll, .......) assigned to folders and files. More ofthen you have to hassle to get the appropiate accessrights to an folder if you screw with access-rights badly.

    Have you at least googled this to built-in user-types? I think this two users-types are needed here. If you remove them you might brick your Windows-Logins. The first one seems to me that only successfully authentificated users are counted to this group. The second one is that users are even able to loggin.

    My honest opinion is that you should think hard if this regulary poking holes in the security as a regular Workflow is worth doing it. The regular accessing another user folder from a normal user I consider poking holes into security. I also wouldn't like on my dayli commute to work that a stranger (or not a stranger) looks in my briefcase sometimes for my lunch. If I (and propatly you also) would like the stranger to know what I've for lunch I would explicitly show him my lunch or grant him access to my briefcase.

    The whole folder and the data in the folder of the user belongs to this user and should only accessed by other users if the owner grants access to another user or group! If you realy regularly have to access data in the "admin"-Folder the "admin"-Users should create a network-share or grant this normal user always access-rights.

    A normal user isn't even meant to know a password of a admin-user and shouldn't even think of doing such things you want to do on a regular bases. A normal user shouldn't ever need to have access to folders which aren't belonging to him or even is granted access by a admin or owner of the files. In your workflow the user "admin" grants access to the user "db" till the "admin"-user revokes this grants. In your current workflow you have to create a loggoff-script and revoke every grants the user "admin" made to the "db"-user to his files.
     
  3. qofbored

    qofbored MDL Novice

    Feb 6, 2013
    19
    3
    0
    Thank you for your response.

    That was a wrong screenshot, I fixed it now in my post above. I meant to display the proper user account.

    So should I just strip the rights off through the folder properties, or is there a 'cleaner' way to fix this?
     
  4. eydee

    eydee Guest

    Linux has the exact same behavior you need. Unless you're a gamer, switching should be no problem.
     
  5. qofbored

    qofbored MDL Novice

    Feb 6, 2013
    19
    3
    0
    I suppose you're right. Sometimes I kick myself for not having mastered using linux yet.
    Which brand would you recommend for a tech-savvy newcomer to unix systems?