Consider the following situation.
Let's say I have two interactive local user accounts registered on my machine: Admin
(member of Administrators
group) and Alice
(member of Users
group). Let's say on my hard drive I have a folder Test
with the following security settings:
Owner : Alice
Permissions:
System : Full Control
Administrators: Full Control
Alice : Full Control
Now, if I log in under Admin
account and attempt to open the folder Test
, Windows will initially refuse to do so. It will display a message box saying
"You don't currently have permissions to access this folder"
My first question is: why? I'm logged in as Admin
- a member of Administrators
group - and therefore I'm supposed to have full control of the folder. Why does Windows say that I don't currently have permissions?
Now, the aforementioned message box will also offer me the opportunity to "Click Continue to permanently get access to this folder". If I click "Continue", I'll be allowed to open folder Test
. And, as a consequence of that, the security settings of Test
will change to
Owner : Alice
Permissions:
System : Full Control
Administrators: Full Control
Alice : Full Control
Admin : Full Control
As you can see, Windows automatically added an extra entry Admin: Full Control
to the list. After that I will be able to access Test
without any restrictions. However, the above set of security permissions seems to be redundant to me. It already included Administrators: Full Control
entry from the very beginning. Why wasn't that sufficient?
So, my second question is: why would Windows need an extra Admin: Full Control
entry to finally give Admin
that "full control".
What is the formal logic behind this behavior?
Some clarifications
Note, this question is not about my Admin
account not being "all-powerful Administrator that can do whatever he wants". I don't expect my Admin
account to be all-powerful at all. In fact, at the most basic level I don't care about any special rights of my Admin
account. It is just some account that belongs to some group.
My question is about file system access rights granted through group membership.
Consider another example. Let's say I created some random user group called Ugly Ducklings
. And I added regular users Alice
and Bob
to the Ugly Ducklings
group.
Then I create folder DucklingTest
with the following permissions
Owner : Alice
Permissions:
Ugly Ducklings : Full Control
Now, if I log in as Bob
I will indeed have full control over DucklingTest
folder (!).
Why?
Is my Bob
an all-powerful administrator? No. Is my Bob
privileged in any way? No. Do I have to "elevate" Bob
somehow, to perform access to DucklingTest
? No.
So, why does Bob
have full control over DucklingTest
folder?
Easy. Bob
has full control over DucklingTest
folder because Bob
is a member of Ugly Ducklings
group and Ugly Ducklings
group has been granted full control permissions over DucklingTest
. End of story.
How come the same logic does not apply to Admin
and Administrators
? Admin
is a member of Administrators
group and Administrators
group has been granted full control permissions over Test
folder. What's missing here? What kind of extra "control" Windows is trying to enforce in this case by imposing what looks like extra restrictions on members of Administrators
group?