Vista file sharing and UAC

Maxim_S_Shatskih · September 18, 2006, 3:27pm

Sorry for asking here - after spending ~2 hours seeking the info in Vista
help files and over the web, I resorted to asked to collegues.

Issue:

Vista RC1 5600
a file share is created, its ACL is “Administrators: Full Control” and
nothing more.
I cannot access the share from w2k and XP machines! “Access denied”.
on Vista machine, I have a user “maxim” which is a member of
Administrators group.
if I add “maxim” explicitly to share’s ACL, for it to be “Administrators:
Full Control; maxim: Full Control” - I can access the share.
more so. If I disable UAC - then I can access the share even with
“Administrators: Full Control” and nothing more.

Looks like UAC is just silently dropping the “Administrators” group
membership from the tokens.

Question:

how can I configure SRV on Vista so that it will not do such dropping?

More so. Am I correct that this will also limit all RPC/DCOM-based
administration tools for a Vista computer?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · September 18, 2006, 11:30pm

> after spending ~2 hours seeking the info in Vista
Is this the answer you are looking for? From
http://www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx:

“Unlike previous versions of Windows, when an administrator logs on to a
computer running Windows Vista, the userâ€™s full administrator access token
is split into two access tokens: a full administrator access token and a
standard user access token. During the logon process, authorization and
access control components that identify an administrator are removed,
resulting in a standard user access token. The standard user access token is
then used to start the desktop, the Explorer.exe process. Because all
applications inherit their access control data from the initial launch of
the desktop, they all run as a standard user as well.
After an administrator logs on, the full administrator access token is not
invoked until the user attempts to perform an administrative task.
Contrasting with this process, when a standard user logs on, only a standard
user access token is created. This standard user access token is then used
to start the desktop.”
When I had to spend my 2 hours scratching my head, I understood the logic
like that:

Before Vista, if you happen to become an “apparatchik” ( = get into
admins), you gained all privileges automatically, just by the mere fact of
being incorporated into “nomenklatura”. Nothing personal.
In Vista even apparatchiks are to personally prove what they are worth
each and every time.

This picture is, well, simplified (you can have, gain and enable at least
some privileges in pre-Vista without jumping into admins), but was good
enough for me.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Monday, September 18, 2006 3:27 PM
Subject: [ntdev] Vista file sharing and UAC

> Sorry for asking here - after spending ~2 hours seeking the info in
> Vista
> help files and over the web, I resorted to asked to collegues.
>
> Issue:
> - Vista RC1 5600
> - a file share is created, its ACL is “Administrators: Full Control”
> and
> nothing more.
> - I cannot access the share from w2k and XP machines! “Access denied”.
> - on Vista machine, I have a user “maxim” which is a member of
> Administrators group.
> - if I add “maxim” explicitly to share’s ACL, for it to be
> “Administrators:
> Full Control; maxim: Full Control” - I can access the share.
> - more so. If I disable UAC - then I can access the share even with
> “Administrators: Full Control” and nothing more.
>
> Looks like UAC is just silently dropping the “Administrators” group
> membership from the tokens.
>
> Question:
> - how can I configure SRV on Vista so that it will not do such
> dropping?
>
> More so. Am I correct that this will also limit all RPC/DCOM-based
> administration tools for a Vista computer?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · September 19, 2006, 3:38am

> "Unlike previous versions of Windows, when an administrator logs on to a

computer running Windows Vista, the userâ€™s full administrator access token
is split into two access tokens: a full administrator access token and a
standard user access token. During the logon process, authorization and

So what? Any ways to make SMB server ignoring this?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · September 19, 2006, 7:02am

Have you tried disabling UAC in Group Policy Manager?

MM

>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
"Unlike previous versions of Windows, when an administrator logs on
to a
computer running Windows Vista, the user’s full administrator
access token
is split into two access tokens: a full administrator access token
and a
standard user access token. During the logon process, authorization
and

So what? Any ways to make SMB server ignoring this?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Alan_Adams-1 · September 19, 2006, 8:16am

“Maxim S. Shatskih” wrote:

> Question:
> - how can I configure SRV on Vista so that it will not do such dropping?

As you may already appreciate, this probably isn’t so much a decision
of SRV as it is the processing and handling being applied to new logon
sessions, network or interactive, for local user accounts.

Network logon sessions don’t appear to be forced into the full “split
logon session” approach under UAC like an interactive logon will be.
But apparently there is still a filtered token being created in
response to the network logon, as opposed to just a full token.

I can’t say I understand the “why”. While on the one hand it seems to
fit with Vista’s “limited user” approach that code running on the
remote machine doesn’t get your full access/permissions to the shared
folder by default, how exactly the remote user is expected to
“elevate” and get their full access to the share isn’t clear to me.
(Particularly when the remote machine is downlevel, even if Vista
comes up with a solution.)

I think you can get the intended result you’re after by changing the
“LocalAccountTokenFilterPolicy” policy; a value of zero (presumably
the default) causes remote logons to have a filtered token, and a
value of 1 allows them to have a full token:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
“LocalAccountTokenFilterPolicy”=dword:00000001

How exactly this is expected to be used or required/not required in
the final Vista product remains to be seen, at least to my knowledge.

> More so. Am I correct that this will also limit all RPC/DCOM-based
> administration tools for a Vista computer?

I would certainly expect this is true, based upon whether the network
logon session is allowed to create a full token or a filtered token.

Alan Adams

Maxim_S_Shatskih · September 19, 2006, 3:27pm

Surely, and this helps, but is there any ways to make the SMB server
UAC-agnostic?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 19, 2006 3:00 PM
Subject: Re: [ntdev] Vista file sharing and UAC

> Have you tried disabling UAC in Group Policy Manager?
>
> MM
>
> >>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
> > "Unlike previous versions of Windows, when an administrator logs on
> to a
> > computer running Windows Vista, the user’s full administrator
> access token
> > is split into two access tokens: a full administrator access token
> and a
> > standard user access token. During the logon process, authorization
> and
>
> So what? Any ways to make SMB server ignoring this?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · September 19, 2006, 3:40pm

> I think you can get the intended result you’re after by changing the

“LocalAccountTokenFilterPolicy” policy; a value of zero (presumably
the default) causes remote logons to have a filtered token, and a
value of 1 allows them to have a full token:

Thanks. Setting this to 1 solved the SMB issue. I’m amazed why this value is
not documented by MS.

The SMB issue is very bad, since it makes the Administrators group to be
nothing in the share ACLs, which is not always a good idea.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · September 20, 2006, 8:37am

MAXIM:

Sorry. I missed your point. If this helps, I’ve resolved, in a manner
of speaking, RPC issues such as getting SC to work by disabling anything
security related and committing similar acts that would be atrocities in
a production environment.

MM

>> xxxxx@storagecraft.com 2006-09-19 15:27 >>>
Surely, and this helps, but is there any ways to make the SMB server
UAC-agnostic?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, September 19, 2006 3:00 PM
Subject: Re: [ntdev] Vista file sharing and UAC

> Have you tried disabling UAC in Group Policy Manager?
>
> MM
>
> >>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
> > "Unlike previous versions of Windows, when an administrator logs
on
> to a
> > computer running Windows Vista, the user’s full administrator
> access token
> > is split into two access tokens: a full administrator access token
> and a
> > standard user access token. During the logon process,
authorization
> and
>
> So what? Any ways to make SMB server ignoring this?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · September 20, 2006, 12:32pm

No, I just want the Administrators group to be valid as in pre-Vista
Windows, when we are speaking about SMB/RPC/DCOM.

For now, on Vista, the SMB share with only “Administrators” ACE on it is
similar to the SMB share with the 100% empty ACL, not accessible to anybody.

UAC in these contexts is a brain damage. It does nothing useful except
effectively wiping the Administrators group out of existence.

UAC is good for interactive apps, but is a sheer nonsense for networking.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, September 20, 2006 4:36 PM
Subject: Re: [ntdev] Vista file sharing and UAC

> MAXIM:
>
> Sorry. I missed your point. If this helps, I’ve resolved, in a manner
> of speaking, RPC issues such as getting SC to work by disabling anything
> security related and committing similar acts that would be atrocities in
> a production environment.
>
>
>
> MM
>
> >>> xxxxx@storagecraft.com 2006-09-19 15:27 >>>
> Surely, and this helps, but is there any ways to make the SMB server
> UAC-agnostic?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Martin O’Brien”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, September 19, 2006 3:00 PM
> Subject: Re: [ntdev] Vista file sharing and UAC
>
>
> > Have you tried disabling UAC in Group Policy Manager?
> >
> > MM
> >
> > >>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
> > > "Unlike previous versions of Windows, when an administrator logs
> on
> > to a
> > > computer running Windows Vista, the user’s full administrator
> > access token
> > > is split into two access tokens: a full administrator access token
> > and a
> > > standard user access token. During the logon process,
> authorization
> > and
> >
> > So what? Any ways to make SMB server ignoring this?
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · September 20, 2006, 12:50pm

Consider who UAC was designed for – home users, who rarely, if ever need to administer other machines. In fact they need to *not* have their own machines “administered”.

So just turn it off and be happy. It’s not designed for you or what you do.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, September 20, 2006 9:31 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Vista file sharing and UAC

No, I just want the Administrators group to be valid as in pre-Vista Windows, when we are speaking about SMB/RPC/DCOM.

For now, on Vista, the SMB share with only “Administrators” ACE on it is similar to the SMB share with the 100% empty ACL, not accessible to anybody.

UAC in these contexts is a brain damage. It does nothing useful except effectively wiping the Administrators group out of existence.

UAC is good for interactive apps, but is a sheer nonsense for networking.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, September 20, 2006 4:36 PM
Subject: Re: [ntdev] Vista file sharing and UAC

> MAXIM:
>
> Sorry. I missed your point. If this helps, I’ve resolved, in a
> manner of speaking, RPC issues such as getting SC to work by disabling
> anything security related and committing similar acts that would be
> atrocities in a production environment.
>
>
>
> MM
>
> >>> xxxxx@storagecraft.com 2006-09-19 15:27 >>>
> Surely, and this helps, but is there any ways to make the SMB server
> UAC-agnostic?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Martin O’Brien”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, September 19, 2006 3:00 PM
> Subject: Re: [ntdev] Vista file sharing and UAC
>
>
> > Have you tried disabling UAC in Group Policy Manager?
> >
> > MM
> >
> > >>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
> > > "Unlike previous versions of Windows, when an administrator logs
> on
> > to a
> > > computer running Windows Vista, the user’s full administrator
> > access token
> > > is split into two access tokens: a full administrator access token
> > and a
> > > standard user access token. During the logon process,
> authorization
> > and
> >
> > So what? Any ways to make SMB server ignoring this?
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · September 20, 2006, 1:34pm

I think it sucks all around, as, the way I see it, the bottom line is
that either you have to be willing to accept being unable to do a lot of
things, or you don’t preform these sorts of privileged operations, in
which case the whole thing is irrelevant anyway. If you still want to
perform these operations, then the dialog box is just an inconvenience.
I get the idea of wanting to draw the user’s attention to what in theory
should be a significant event of potentially unknown origin, but in
practice these events that cause UAC to fire are just way to common to
have the desired effect - it ends up being like a firewall that refuses
outgoing connections on everything. I have no way of knowing, but I
think the workarounds end of being so much more massively worse to
security in the end. They certainly were in my case, particularly
since, frankly, I couldn’t even tell you what it is I did specifically;
I just enabled/disabled everything security related, including some very
unwise actions like letting Everyone apply to anonymous, changing the
default permissions for Guest, and changing the share model back to
classic. I would never do this on anything other than a test machine,
but until it is documented how to accomplish what I needed to get RPC
based things that worked fine in XP SP2 working on Vista, the
workarounds are either going to crippling or totally unsafe.

MM

>> xxxxx@storagecraft.com 2006-09-20 12:31 >>>
No, I just want the Administrators group to be valid as in pre-Vista
Windows, when we are speaking about SMB/RPC/DCOM.

For now, on Vista, the SMB share with only “Administrators” ACE on
it is
similar to the SMB share with the 100% empty ACL, not accessible to
anybody.

UAC in these contexts is a brain damage. It does nothing useful
except
effectively wiping the Administrators group out of existence.

UAC is good for interactive apps, but is a sheer nonsense for
networking.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, September 20, 2006 4:36 PM
Subject: Re: [ntdev] Vista file sharing and UAC

> MAXIM:
>
> Sorry. I missed your point. If this helps, I’ve resolved, in a
manner
> of speaking, RPC issues such as getting SC to work by disabling
anything
> security related and committing similar acts that would be atrocities
in
> a production environment.
>
>
>
> MM
>
> >>> xxxxx@storagecraft.com 2006-09-19 15:27 >>>
> Surely, and this helps, but is there any ways to make the SMB server
> UAC-agnostic?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Martin O’Brien”
> To: “Windows System Software Devs Interest List”

> Sent: Tuesday, September 19, 2006 3:00 PM
> Subject: Re: [ntdev] Vista file sharing and UAC
>
>
> > Have you tried disabling UAC in Group Policy Manager?
> >
> > MM
> >
> > >>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
> > > "Unlike previous versions of Windows, when an administrator logs
> on
> > to a
> > > computer running Windows Vista, the user’s full administrator
> > access token
> > > is split into two access tokens: a full administrator access
token
> > and a
> > > standard user access token. During the logon process,
> authorization
> > and
> >
> > So what? Any ways to make SMB server ignoring this?
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · September 20, 2006, 2:01pm

I agree with the sentiment; my objection is that exactly what to turn
off, in my case for RPC, is not documented, or at least not obviously.
It is probably there somewhere, but I feel like changes that break
things that worked in XP should be documented clearly, including the
steps required to reverse them. For example, the changes required to ge
SC running even on XP SP 2. Once guessing gets involved, things have
the potential to end up worse than they need to be or might have been in
XP.

>> xxxxx@microsoft.com 2006-09-20 12:50 >>>
Consider who UAC was designed for – home users, who rarely, if ever
need to administer other machines. In fact they need to *not* have
their own machines “administered”.

So just turn it off and be happy. It’s not designed for you or what
you do.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Wednesday, September 20, 2006 9:31 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Vista file sharing and UAC

No, I just want the Administrators group to be valid as in
pre-Vista Windows, when we are speaking about SMB/RPC/DCOM.

For now, on Vista, the SMB share with only “Administrators” ACE on
it is similar to the SMB share with the 100% empty ACL, not accessible
to anybody.

UAC in these contexts is a brain damage. It does nothing useful
except effectively wiping the Administrators group out of existence.

UAC is good for interactive apps, but is a sheer nonsense for
networking.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Martin O’Brien”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, September 20, 2006 4:36 PM
Subject: Re: [ntdev] Vista file sharing and UAC

> MAXIM:
>
> Sorry. I missed your point. If this helps, I’ve resolved, in a
> manner of speaking, RPC issues such as getting SC to work by
disabling
> anything security related and committing similar acts that would be
> atrocities in a production environment.
>
>
>
> MM
>
> >>> xxxxx@storagecraft.com 2006-09-19 15:27 >>>
> Surely, and this helps, but is there any ways to make the SMB server
> UAC-agnostic?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Martin O’Brien”
> To: “Windows System Software Devs Interest List”

> Sent: Tuesday, September 19, 2006 3:00 PM
> Subject: Re: [ntdev] Vista file sharing and UAC
>
>
> > Have you tried disabling UAC in Group Policy Manager?
> >
> > MM
> >
> > >>> xxxxx@storagecraft.com 2006-09-19 03:38 >>>
> > > "Unlike previous versions of Windows, when an administrator logs
> on
> > to a
> > > computer running Windows Vista, the user’s full administrator
> > access token
> > > is split into two access tokens: a full administrator access
token
> > and a
> > > standard user access token. During the logon process,
> authorization
> > and
> >
> > So what? Any ways to make SMB server ignoring this?
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · September 20, 2006, 2:26pm

I don’t know about previous builds, but in RC1, the option to control UAC is quite visible in the control panel. Control panel, User accounts, User accounts (again, oddly), and then there’s the option to turn UAC on/off. No need to grovel through the registry, etc.

Consider UAC the first swing at fine-grained access control *within* a single security principal. I’m not crazy about it, but it’s clearly needed in the short-term. Long-term, hopefully, the security people can come up with something better. As usual, the need to maintain compatibility with the roughly nineteen gumptillion applications trumps most clean-slate designs.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Wednesday, September 20, 2006 10:59 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Vista file sharing and UAC

I agree with the sentiment; my objection is that exactly what to turn off, in my case for RPC, is not documented, or at least not obviously.
It is probably there somewhere, but I feel like changes that break things that worked in XP should be documented clearly, including the steps required to reverse them. For example, the changes required to ge SC running even on XP SP 2. Once guessing gets involved, things have the potential to end up worse than they need to be or might have been in XP.

>> xxxxx@microsoft.com 2006-09-20 12:50 >>>
Consider who UAC was designed for – home users, who rarely, if ever need to administer other machines. In fact they need to *not* have their own machines “administered”.

So just turn it off and be happy. It’s not designed for you or what you do.