When you are prompted to enter administrative credentials for a directory to which you do not have permissions, your user ID is added to the DACL list for the directory in Windows Vista

When you are prompted to enter administrative credentials for a directory to which you do not have permissions, your user ID is added to the DACL list for the directory in Windows Vista

Article ID : 950934
Last Review : April 15, 2008
Revision : 1.0
On This Page

INTRODUCTION

This article describes the behavior that occurs in Windows Vista when you are prompted to enter administrative credentials for a directory to which you do not have permissions.

Back to the top

MORE INFORMATION

On a computer that is running Windows Vista, assume that you try to browse to a directory that you do not have permissions to view. Windows Explorer prompts you to enter administrative credentials. When you enter administrative credentials, your ID is permanently added to the discretionary access control list (DACL) for the directory.

This behavior is by design. However, the dialog box that prompts you to enter administrative credentials does not correctly explain the consequences of entering these credentials. Therefore, you may believe that you are only temporarily elevating your permissions to view the directory contents and that no permanent change to the directory’s DACL is occurring.

By prompting you for credentials, Windows Vista prevents the following scenario. When you try to view a directory to which you do not have permissions, you receive an access denied error message, and you cannot view the contents of the directory. Assume that you then try to use elevated permissions to open an instance of Windows Explorer. However, Windows Explorer is a single-instance application, and it is already running under User Access Control (UAC). Therefore, you cannot use elevated permissions to open Windows Explorer. To view the directory, you would have to right-click the directory in Windows Explorer, you would have to use elevated permissions to open the DACL editor, and then you would have to add your user ID to the directory.

Note If you were not logged on as an administrator, you would have to follow these steps on an earlier version of the Windows operating system, such as Windows XP.

This feature of Windows Vista simplifies the only real solution for gaining access to the directory.

Back to the top

Known issues

This feature could lead to unwanted and unexpected behavior. For example, assume that you belong to the Administrator group and that you receive elevated permissions to view a directory. Your ID is added to the DACL for that directory. However, if you are then removed from the Administrator group, your ID remains in the DACL for the directory. Therefore, you still have view permissions for that directory.

Back to the top


APPLIES TO
• Windows Vista Ultimate
• Windows Vista Ultimate 64-bit Edition
• Windows Vista Enterprise
• Windows Vista Enterprise 64-bit Edition
• Windows Vista Business
• Windows Vista Business 64-bit Edition
• Windows Vista Home Premium
• Windows Vista Home Premium 64-bit Edition
• Windows Vista Home Basic
• Windows Vista Home Basic 64-bit Edition

Back to the top

Keywords: 
kbsecurity kbpubtypekc kbinfo kbhowto KB950934

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image