Permissions / UAC

I'm using Windows 2008 R2 as a webserer, the machine is part of a domain...

When the directory for each website is provisioned, it's setup with the
following permissions:

IIS APPPOOL\\<site> - READ
SYSTEM - FULL
Administrators - FULL

The website works fine, however whenever I attempt to browse to a newly
created folder in Windows Explorer I get the following:


"You don't currently have permissions to access this folder.

Click Continue to permanently get access to this folder. "


I've tried the following:

i) Running Explorer as Administrator
ii) Adding my domain user to a custom local group and adding FULL
permissions to that folder

Neither got rid of the prompt..

What I'd really like to happen is either no prompt at all, or forcing the
UAC confirmation prompt (UAC is turned on). I really don't want to have
every user receive this prompt, when there could be thousands of folders,
and the ACL's polluted with all this additional rubbish.

Any ideas?

~ Mike

--
--
NOTICE: This email and any file transmitted are confidential and/or legally
privileged and intended only for the person(s) directly addressed. If you
are not the intended recipient, any use, copying, transmission,
distribution, or other forms of dissemination is strictly prohibited. If you
have received this email in error, please notify the sender immediately and
permanently delete the email and files, if any.

 

Hello Mike,

I suggest to use this forum:


Especially made for IIS 7.5 in 2008 R2.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I'm using Windows 2008 R2 as a webserer, the machine is part of a
> domain...
>
> When the directory for each website is provisioned, it's setup with
> the following permissions:
>
> IIS APPPOOL\<site> - READ
> SYSTEM - FULL
> Administrators - FULL
> The website works fine, however whenever I attempt to browse to a
> newly created folder in Windows Explorer I get the following:
>
> "You don't currently have permissions to access this folder.
>
> Click Continue to permanently get access to this folder. "
>
> I've tried the following:
>
> i) Running Explorer as Administrator
> ii) Adding my domain user to a custom local group and adding FULL
> permissions to that folder
> Neither got rid of the prompt..
>
> What I'd really like to happen is either no prompt at all, or forcing
> the UAC confirmation prompt (UAC is turned on). I really don't want
> to have every user receive this prompt, when there could be thousands
> of folders, and the ACL's polluted with all this additional rubbish.
>
> Any ideas?
>
> ~ Mike
> <!--colorc--><!--/colorc-->

 

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d7b8f8cc1d4cb0a07eae@msnews.microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hello Mike,
>
> I suggest to use this forum:
>
>
> Especially made for IIS 7.5 in 2008 R2.<!--colorc--><!--/colorc-->

Thanks for the response,

It's not actually a IIS7 question though. It's a UAC/ACL issue.

I need to get around that explorer prompt somehow, through setting the ACL's
differently (I guess) or having a way to force a UAC prompt.

~ Mike

 

"Mike 'Spike' Lovell" <no.email.address.provided@gotinker.com> wrote in
message news:OxMfKI0TKHA.1792@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d7b8f8cc1d4cb0a07eae@msnews.microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Hello Mike,
>>
>> I suggest to use this forum:
>>
>>
>> Especially made for IIS 7.5 in 2008 R2.<!--colorc--><!--/colorc-->
>
> Thanks for the response,
>
> It's not actually a IIS7 question though. It's a UAC/ACL issue.
>
> I need to get around that explorer prompt somehow, through setting the
> ACL's differently (I guess) or having a way to force a UAC prompt.
>
> ~ Mike<!--colorc--><!--/colorc-->


If it's something you are trying to control access using web-based access
along with NTFS permissions to the website, and not logged on as the
administrator (assuming so since you have administrator in the ACL), then to
allow anonymous access, you will also need the IIS_IUSR account with
Read/Execute, Read and List.

Ace

 

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:#8O0Cy7TKHA.1280@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Mike 'Spike' Lovell" <no.email.address.provided@gotinker.com> wrote in
> message news:OxMfKI0TKHA.1792@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>>
>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>> news:6cb2911d7b8f8cc1d4cb0a07eae@msnews.microsoft.com...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Hello Mike,
>>>
>>> I suggest to use this forum:
>>>
>>>
>>> Especially made for IIS 7.5 in 2008 R2.<!--colorc--><!--/colorc-->
>>
>> Thanks for the response,
>>
>> It's not actually a IIS7 question though. It's a UAC/ACL issue.
>>
>> I need to get around that explorer prompt somehow, through setting the
>> ACL's differently (I guess) or having a way to force a UAC prompt.
>>
>> ~ Mike<!--colorc--><!--/colorc-->
>
>
> If it's something you are trying to control access using web-based access
> along with NTFS permissions to the website, and not logged on as the
> administrator (assuming so since you have administrator in the ACL), then
> to allow anonymous access, you will also need the IIS_IUSR account with
> Read/Execute, Read and List.<!--colorc--><!--/colorc-->

The only problem I have (ignore anything to do with websites), is getting
the above warmomg when logged is as a Domain Admin account (tried both
explorer normally, then explorer run as an administrator).

Both "Domain Admins" and local "Administrators" have full permissions to the
folder.

No UAC prompt (which would be better than the error I first mentioned), and
no ACL setup I'm found that sorts it out (as per first post).

Confused! - I think everyone might be under a false impression to what
I'm saying the problem is, if you re-read the first post it might become
clearer.

~ Mike

 

"Mike 'Spike' Lovell" <no.email.address.provided@gotinker.com> wrote in
message news:uBVBP$$TKHA.5164@TK2MSFTNGP02.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:#8O0Cy7TKHA.1280@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> "Mike 'Spike' Lovell" <no.email.address.provided@gotinker.com> wrote in
>> message news:OxMfKI0TKHA.1792@TK2MSFTNGP04.phx.gbl...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
>>> news:6cb2911d7b8f8cc1d4cb0a07eae@msnews.microsoft.com...
>>>> Hello Mike,
>>>>
>>>> I suggest to use this forum:
>>>>
>>>>
>>>> Especially made for IIS 7.5 in 2008 R2.
>>>
>>> Thanks for the response,
>>>
>>> It's not actually a IIS7 question though. It's a UAC/ACL issue.
>>>
>>> I need to get around that explorer prompt somehow, through setting the
>>> ACL's differently (I guess) or having a way to force a UAC prompt.
>>>
>>> ~ Mike<!--colorc--><!--/colorc-->
>>
>>
>> If it's something you are trying to control access using web-based access
>> along with NTFS permissions to the website, and not logged on as the
>> administrator (assuming so since you have administrator in the ACL), then
>> to allow anonymous access, you will also need the IIS_IUSR account with
>> Read/Execute, Read and List.<!--colorc--><!--/colorc-->
>
> The only problem I have (ignore anything to do with websites), is getting
> the above warmomg when logged is as a Domain Admin account (tried both
> explorer normally, then explorer run as an administrator).
>
> Both "Domain Admins" and local "Administrators" have full permissions to
> the folder.
>
> No UAC prompt (which would be better than the error I first mentioned),
> and no ACL setup I'm found that sorts it out (as per first post).
>
> Confused! - I think everyone might be under a false impression to
> what I'm saying the problem is, if you re-read the first post it might
> become clearer.
>
> ~ Mike<!--colorc--><!--/colorc-->



I assume you've created the child folder (under that folder) in Explorer,
and of course it inherited those permissions. I haven't dwelved into the new
IIS 2008 R2 permissions, but it is possible the AppPool permissions may have
a built-in protection somewhere to even disallow certain permissions
considering it may be a web-based security protection mechanism for anyone
coming in as admin to stop any possibly attempt at control. Therefore,
curious, if you removed the AppPool permissions and create another folder,
does the same thing happen?

Ace

 

> I assume you've created the child folder (under that folder) in Explorer, <!--coloro:blue--><span style="color:blue <!--/coloro-->
> and of course it inherited those permissions. I haven't dwelved into the
> new IIS 2008 R2 permissions, but it is possible the AppPool permissions
> may have a built-in protection somewhere to even disallow certain
> permissions considering it may be a web-based security protection
> mechanism for anyone coming in as admin to stop any possibly attempt at
> control. Therefore, curious, if you removed the AppPool permissions and
> create another folder, does the same thing happen?<!--colorc--><!--/colorc-->

Yes, this happens in the absence of settings any App Pool permissions...

There's a structure similar to this:

\ [App Pool permissions NOT here]
\documents [ App Pool permissions here]
\xml [ And here]

The problem still happens when first trying to open that root folder
(without App Pool there). Reason why I mentioned about the App Pool
permissions was just to point out that the websites are actually working (so
the ACL's are fine for that).

Just, adding Domain Admins and Administrators with Full, why not let me in
(or prompt UAC)!!!

~ Mike

 

"Mike 'Spike' Lovell" <no.email.address.provided@gotinker.com> wrote in
message news:O9OgVfBUKHA.1372@TK2MSFTNGP02.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro-->
>> I assume you've created the child folder (under that folder) in Explorer,
>> and of course it inherited those permissions. I haven't dwelved into the
>> new IIS 2008 R2 permissions, but it is possible the AppPool permissions
>> may have a built-in protection somewhere to even disallow certain
>> permissions considering it may be a web-based security protection
>> mechanism for anyone coming in as admin to stop any possibly attempt at
>> control. Therefore, curious, if you removed the AppPool permissions and
>> create another folder, does the same thing happen?<!--colorc--><!--/colorc-->
>
> Yes, this happens in the absence of settings any App Pool permissions...
>
> There's a structure similar to this:
>
> [App Pool permissions NOT here]
> documents [ App Pool permissions here]
> xml [ And here]
>
> The problem still happens when first trying to open that root folder
> (without App Pool there). Reason why I mentioned about the App Pool
> permissions was just to point out that the websites are actually working
> (so the ACL's are fine for that).
>
> Just, adding Domain Admins and Administrators with Full, why not let me in
> (or prompt UAC)!!!
>
> ~ Mike<!--colorc--><!--/colorc-->


One thing that comes to mindis possibly because the original folder
structure was created by IIS during installation. Check the Owner tab.
Curious who the owner is.

Ace

 

> One thing that comes to mindis possibly because the original folder <!--coloro:blue--><span style="color:blue <!--/coloro-->
> structure was created by IIS during installation. Check the Owner tab.
> Curious who the owner is.<!--colorc--><!--/colorc-->

It's all custom, IIS never touched these folders (creation wise).

Administrators is set as owner

~ Mike

 

"Mike 'Spike' Lovell" <no.email.address.provided@gotinker.com> wrote in
message news:ueIVDQLUKHA.4004@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro-->
>> One thing that comes to mindis possibly because the original folder
>> structure was created by IIS during installation. Check the Owner tab.
>> Curious who the owner is.<!--colorc--><!--/colorc-->
>
> It's all custom, IIS never touched these folders (creation wise).
>
> Administrators is set as owner
>
> ~ Mike<!--colorc--><!--/colorc-->


Hmm, well that theory just got shot down. And all this happens just under
the inetpub folders and no where else on the drive? If I think of anything
else, I'll post back.

Ace