Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, July 3, 2019 2:37 PM
I want to add administrator privileges to a file, but I cannot grant a user administrator privileges; when I go to the security tab for the file then choose Administrators I'm unable to apply Administrator
privileges to the file.
If I go to edit then click add I'm once again unable to select a user or a group, in this case I want to select a user, that user being an administrator to the file. Therefore a program that requires to read the file as an administrator and only as an administrator even if the program is launched as a standard user, the file will be readable.
All replies (29)
Thursday, July 4, 2019 7:16 AM
Hi,
We need to login system with administrator account, so we have right to grand full privilege to file.
For more details, please check the link below:
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, July 4, 2019 12:49 PM
Hello,
IMO, this is not possible. That's why we've standard user account and administrator account independently present. The file can either be run as administrator rights or not. I believe you need to log on as administrator and run the file, if it runs with administrative rights only. You can't simply grant admin rights to standard user profile to run the file.
Thanks for your understanding!
Microsoft MVP (Windows and Devices for IT)
Windows Insider MVP
Windows Help & Support [www.kapilarya.com]
Thursday, July 4, 2019 1:00 PM
How about assigning a user or a group, in this case only a user to the file within the security tab; that user being administrator when logged in as a standard user. Will that not grant administrator privileges to the file within a standard user ?
Tuesday, July 9, 2019 3:29 PM
Hi,
Login system as a standard user will not being administrator.
Only administrator have right to grant file access privilege to other users. So for standard user account, even if it have full privilege for the file, but the privilege was given from admin account. Your desire is not available to achieve.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, July 10, 2019 12:01 AM
Hi,
Login system as a standard user will not being administrator.
Only administrator have right to grant file access privilege to other users. So for standard user account, even if it have full privilege for the file, but the privilege was given from admin account. Your desire is not available to achieve.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Either one of you is not addressing the second part of my question ?
Wednesday, July 10, 2019 12:30 AM
Are you the Administrator of your system?
Press the Windows key + R to open the Run box. Type netplwiz and press Enter.
Check the "Users must enter a user name and password to use this computer" box, select the user name that you want to change the account type of, and click on Properties.
Click on the Group Membership tab. Click to check the Administrator radio button and click OK.
========
Open an elevated Command Prompt.
In the Command Prompt, you can use the net localgroup command to promote any user to an administrator. For example, to make Tom an administrator, type:
net localgroup Administrators Tom /add
Now, the account should be an administrator.
S.Sengupta,Microsoft MVP Windows and Devices for IT, Windows Insider MVP
Wednesday, July 10, 2019 12:51 AM
I want to add administrator privileges to a file, but I cannot grant a user administrator privileges; when I go to the security tab for the file then choose Administrators I'm unable to apply Administrator
privileges to the file.If I go to edit then click add I'm once again unable to select a user or a group, in this case I want to select a user, that user being an administrator to the file. Therefore a program that requires to read the file as an administrator and only as an administrator even if the program is launched as a standard user, the file will be readable.
Your question is confusing.
"I want to add administrator privileges to a file" That makes it sound like you want to have a program execute with administrator rights even if a standard user runs it. That cannot be done.
If you wish to grant the Administrators group read/write access to the file, then the account that you have logged in with must be the owner of the file or have "change permissions" access.
"that user being an administrator to the file." Files have owners. They do not have administrators. The word administrators is used when defining the highest level access to the entire computer. Files also have security permissions assigned to them to define which users can access the file and if they have read/write/delete/etc access.
"Therefore a program that requires to read the file as an administrator and only as an administrator even if the program is launched as a standard user, the file will be readable."
When a program is run by any user, that program has the access that the user has. For example, a standard user logs on and runs notepad.exe. Notepad can open any file that the user has read access to. If the user has update access to a file, then notepad can also save changes to it. If the file is restricted to only administrators, then the standard user (notepad) will get an access denied error.
It appears that you have a data file and a program. The file security permissions on the data file are restricted to only administrators. But you want to grant administrator rights to the program so that when a standard user executes it then it has access to the data file. Do I understand your question correctly? If so, you can't do that.
Perhaps if you could give an example of what you are trying to do in your situation, then someone could help you.
Wednesday, July 10, 2019 1:00 AM
The program runs as a Standard user, although there is a file which the program reads that must have administrator privileges and only administrator privileges. Therefore is it not possible to add a user or a group specifically to this file giving it administrator privileges, so the program can read the file.
I do not want to run the program as an administrator otherwise the settings etc will be reset to default.
Wednesday, July 10, 2019 1:48 AM
there is a file which the program reads that must have administrator privileges and only administrator privileges. Therefore is it not possible to add a user or a group specifically to this file giving it administrator privileges, so the program can read the file.
So you have a file like this sample txt file, where only administrators have access. Is that correct?
And you have a program that needs to be run by a user account that is NOT a member of the Administrators group, and this program needs to read/write that file. Correct.
You can't do that. That is the whole purpose of having security permissions. To restrict access to only those accounts who are authorized.
Is the program something that you or someone in your organization wrote? Ie, do you have the source code? If you do, then you could add in code to impersonate an Administrator account. That would allow the standard user to access a file whose security permissions are restricted to members of the Administrators group.
If you don't have the source code, then you could also write your own program to issue the impersonation call and then invoke the actual application program.
Wednesday, July 10, 2019 2:00 AM
there is a file which the program reads that must have administrator privileges and only administrator privileges. Therefore is it not possible to add a user or a group specifically to this file giving it administrator privileges, so the program can read the file.
So you have a file like this sample txt file, where only administrators have access. Is that correct?
And you have a program that needs to be run by a user account that is NOT a member of the Administrators group, and this program needs to read/write that file. Correct.
You can't do that. That is the whole purpose of having security permissions. To restrict access to only those accounts who are authorized.
Is the program something that you or someone in your organization wrote? Ie, do you have the source code? If you do, then you could add in code to impersonate an Administrator account. That would allow the standard user to access a file whose security permissions are restricted to members of the Administrators group.
If you don't have the source code, then you could also write your own program to issue the impersonation call and then invoke the actual application program.
I have a file as in your case a sample text file where the administrator does not have access to the file. I want to grant administrator access to the file when logged in as a standard user; the program is running not as an administrator but as a standard user.
Wednesday, July 10, 2019 2:22 AM
What accounts or groups have access to the file? You have to use one of those accounts to modify the permissions.
Wednesday, July 10, 2019 2:48 AM
Open a command prompt and CD to the folder where your file is. Run these commands like I did with the sample txt file. Use your file name.
dir /q "New Text Document.txt"
icacls "New Text Document.txt"
whoami
whoami /groups
Copy and paste the results like this:
C:\Users\Admin\Desktop>dir /q "New Text Document.txt"
Volume in drive C has no label.
Volume Serial Number is C292-CDF4
Directory of C:\Users\Admin\Desktop
06/23/2019 04:13 PM 0 TEST10B\Admin New Text Document.txt
1 File(s) 0 bytes
0 Dir(s) 42,187,681,792 bytes free
C:\Users\Admin\Desktop>icacls "New Text Document.txt"
New Text Document.txt BUILTIN\Administrators:(F)
Successfully processed 1 files; Failed processing 0 files
C:\Users\Admin\Desktop>whoami
test10b\admin
C:\Users\Admin\Desktop>whoami /groups
GROUP INFORMATION
Group Name Type SID Attributes
============================================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\Users\Admin\Desktop>
Wednesday, July 10, 2019 4:36 PM
Open a command prompt and CD to the folder where your file is. Run these commands like I did with the sample txt file. Use your file name.
dir /q "New Text Document.txt" icacls "New Text Document.txt" whoami whoami /groupsCopy and paste the results like this:
C:\Users\Admin\Desktop>dir /q "New Text Document.txt" Volume in drive C has no label. Volume Serial Number is C292-CDF4 Directory of C:\Users\Admin\Desktop 06/23/2019 04:13 PM 0 TEST10B\Admin New Text Document.txt 1 File(s) 0 bytes 0 Dir(s) 42,187,681,792 bytes free C:\Users\Admin\Desktop>icacls "New Text Document.txt" New Text Document.txt BUILTIN\Administrators:(F) Successfully processed 1 files; Failed processing 0 files C:\Users\Admin\Desktop>whoami test10b\admin C:\Users\Admin\Desktop>whoami /groups GROUP INFORMATION Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 C:\Users\Admin\Desktop>
Wednesday, July 10, 2019 5:37 PM
On the CSS file, Authenticated Users have Modify access. So a standard user will be able to read and update the file. What else do you need? What permission are you trying to add?
Wednesday, July 10, 2019 6:35 PM
On the CSS file, Authenticated Users have Modify access. So a standard user will be able to read and update the file. What else do you need? What permission are you trying to add?
I want only an Administrator access to read the file, though a standard user.
Wednesday, July 10, 2019 7:35 PM
The CSS file is inheriting the security permissions from the parent folder. That's what the "(I)" indicates. In order to change permissions you will need to have Administrator level access. Currently you only have Modify access because you are an Authenticated User. Administrators are also Authenticated Users so you will need to set both Administrators and Authenticated Users to read only access.
But by doing that you would remove your own access. So you will have you add your own account to the security and grant it full control. Normally, to control access to source code, I would create another group named Developers and use that instead of individual accounts.
Typically it is better to set permissions on the folder and not individual files. On C:\Custom Program Settings or on the vscode_settings folder, you will need to use the Advanced Security tab and disable inheritance and select the option to copy the permissions. Then you would set both Administrators and Authenticated Users to read only and add your account. (Or add your account to the Developers group and use it instead.) Have it reset the permissions on the entire folder structure.
What is the real problem that you have? Just by asking this question I have to wonder how much experience you have settings permissions. You can get yourself in trouble very easily if you are not careful.
You cannot stop an administrator from updating a file. Even if you successfully set the permissions to block them, they can just take ownership and grant themselves access and then update the file.
Wednesday, July 10, 2019 9:50 PM
The CSS file is inheriting the security permissions from the parent folder. That's what the "(I)" indicates. In order to change permissions you will need to have Administrator level access. Currently you only have Modify access because you are an Authenticated User. Administrators are also Authenticated Users so you will need to set both Administrators and Authenticated Users to read only access.
But by doing that you would remove your own access. So you will have you add your own account to the security and grant it full control. Normally, to control access to source code, I would create another group named Developers and use that instead of individual accounts.
Typically it is better to set permissions on the folder and not individual files. On C:\Custom Program Settings or on the vscode_settings folder, you will need to use the Advanced Security tab and disable inheritance and select the option to copy the permissions. Then you would set both Administrators and Authenticated Users to read only and add your account. (Or add your account to the Developers group and use it instead.) Have it reset the permissions on the entire folder structure.
What is the real problem that you have? Just by asking this question I have to wonder how much experience you have settings permissions. You can get yourself in trouble very easily if you are not careful.
You cannot stop an administrator from updating a file. Even if you successfully set the permissions to block them, they can just take ownership and grant themselves access and then update the file.
I should disable inheritance, then I choose Remove all inherited permissions from this object when asked what I want to do with the current inherited permissions, correct ?
Although where is the option to copy the permissions ?
Thursday, July 11, 2019 1:08 AM
Thursday, July 11, 2019 1:44 AM
[quote]You cannot stop an administrator from updating a file. Even if you successfully set the permissions to block them, they can just take ownership and grant themselves access and then update the file. [/quote]
I granted the folder and all folders inside the folder full administration access, correct ? Although I don't quite understand what you mean as I quoted above ?
Thursday, July 11, 2019 12:08 PM
I meant what I wrote. You cannot stop an administrator from updating a file if he is intent on updating it. I have run into situations where file systems were migrated from one machine to another and the permission were all messed up and nobody could access the files. As an admin I could take ownership over the files and then reset the permissions to allow anyone to access them.
Thursday, July 11, 2019 1:33 PM
By doing this to a folder, the files within that folder all should have administration privileges, correct ?
Thursday, July 11, 2019 1:35 PM
I meant what I wrote. You cannot stop an administrator from updating a file if he is intent on updating it. I have run into situations where file systems were migrated from one machine to another and the permission were all messed up and nobody could access the files. As an admin I could take ownership over the files and then reset the permissions to allow anyone to access them.
Please see two posts above. If all is correct, I think I may need to change the privileges within a folder in %userprofiles% by changing it to a administration folder as if I was logged in as an administrator. I'll have to tinker with this and I will follow up, as long as what I wrote in a previous post is correct ?
Thursday, July 11, 2019 11:10 PM
I have no idea what your question is. If you are trying to prevent an administrator from updating a folder then you need to set both the Administrators group and Authenticated users to read only access. For the accounts that want to update the folder, you need to grant them full control.
Friday, July 12, 2019 1:50 AM
I have no idea what your question is. If you are trying to prevent an administrator from updating a folder then you need to set both the Administrators group and Authenticated users to read only access. For the accounts that want to update the folder, you need to grant them full control.
From what I know *icacls *can grant a program run as a standard user, administrator rights; therefore allowing the program to read and write, if it can only write under an administrator.
Friday, July 12, 2019 12:10 PM
Hi,
I think you want to know if the owner of the folder also have full control with those files, right?
If we enable inheritance, the file privilege will same with folder. If we disable inheritance, the privilege of the folder will not apply to file.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, July 12, 2019 12:27 PM
Hi,
I think you want to know if the owner of the folder also have full control with those files, right?
If we enable inheritance, the file privilege will same with folder. If we disable inheritance, the privilege of the folder will not apply to file.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
I want to know if icacls can do as I want to do ?
Friday, July 12, 2019 1:22 PM
Hi,
I want to know if icacls can do as I want to do ?
Icacls is a command line utility that can set security permissions on file and folders. You can also set security permissions with the Windows explorer if you prefer to use a graphical user interface instead of a command line interface (icacls).
Saturday, July 13, 2019 11:41 AM
Hi,
Yeah, the command line could be used to grant user with specific access right.
For more information about icacls, please refer to the link below:
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, July 29, 2019 1:50 AM
Hi,
Haven't received your message a few days, was your issue resolved?
I am proposing previous helpful replies as "Answered". Please feel free to try it and let me know the result.
If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].