+ Post New Thread
Results 1 to 14 of 14
Windows Server 2008 R2 Thread, permissions on c:\programdata in Technical; I need to change some file permissions in c:\programdata but I keep gettin an "access denied" as a local administrator. ...
  1. #1


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    permissions on c:\programdata

    I need to change some file permissions in c:\programdata but I keep gettin an "access denied" as a local administrator.
    Whats the recommended procedure to edit files in here?

  2. #2


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    I took ownership, and took away "deny" read for everyone - and it is a recursive link !?!?

    Where does the "equivalent" of c:\documents and settings\all users\application data actually reside now?

  3. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    BUMP.

    Can anyone explain the differences between XP/2003 and Win7/2008 profiles?

  4. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,731
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    Well as an example:

    XP: Documents and settings\All Users\Desktop
    Vista/7 : C:\Users\Public\Desktop

    XP: Documents and settings\Steve\application data
    Vista/7 C:\Users\Steve\AppData

    All appdata should be changed in there really, what is it you're trying to edit in ProgramData?

    As an expansion to above:

    C:\users\all users is a direct link to C:\ProgramData, Add a file to C:\users\all users and it'll actually be stored/showup in programdata etc etc

    Steve
    Last edited by Steve21; 9th September 2012 at 12:39 PM.

  5. Thanks to Steve21 from:

    CyberNerd (9th September 2012)

  6. #5


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Thanks,

    Quote Originally Posted by Steve21 View Post
    All appdata should be changed in there really, what is it you're trying to edit in ProgramData?
    I'm trying to do this:

    Make sure the permissions are correct for MachineKeys folders. The MachineKeys folder is located under the \All Users Profile\Application Data\Microsoft\Crypto\RSA folder. The following settings are the default permissions for the MachineKeys folder:
    Administrator (Full Control) This folder only
    Everyone (Special) This folder, subfolders, and files
    SYSTEM (Full Control) This folder, subfolders, and files
    The Everyone group, should have the following Special permissions selected:
    • List Folder/Read Data
    • Read Attributes
    • Read Extended Attributes
    • Create Files/Write Data
    • Create Folders/Append Data
    • Write Attributes
    • Write Extended Attributes
    • Read Permissions
    CTX118548 - Secure Gateway Error: The server certificate specified is unusable. - Citrix Knowledge Center
    but I'm finding I don't have permissions on it as an administrator

  7. #6

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,820
    Thank Post
    734
    Thanked 1,448 Times in 1,201 Posts
    Rep Power
    361
    But isn't there an added complication in the way it works. They've split up the app data into roaming, local, localtemp etc.

  8. #7

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,820
    Thank Post
    734
    Thanked 1,448 Times in 1,201 Posts
    Rep Power
    361
    i meant local low.
    anyhow, this location exists: C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys

    The machinekeys folder has a padlock on it. can you access it.

  9. Thanks to vikpaw from:

    CyberNerd (9th September 2012)

  10. #8


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by vikpaw View Post
    i meant local low.
    anyhow, this location exists: C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys

    The machinekeys folder has a padlock on it. can you access it.
    No I can't get in there. If I change the permissions it seems to be a recursive link

  11. #9

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,731
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    Quote Originally Posted by CyberNerd View Post
    No I can't get in there. If I change the permissions it seems to be a recursive link
    What permissions did it have set on it before you changed it?


    How high up are you trying to change the permissions, ProgramData has a link back to itself so if you try it too high it might very well loop.

    If you run dir /aL on the program data folder it'll show you redirects.

    Code:
     Directory of C:\ProgramData
    
    02/11/2006  16:42    <JUNCTION>     Application Data [C:\ProgramData]
    02/11/2006  16:42    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
    02/11/2006  16:42    <JUNCTION>     Documents [C:\Users\Public\Documents]
    02/11/2006  16:42    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
    02/11/2006  16:42    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
    02/11/2006  16:42    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
    As you can see "Application Data [C:\ProgramData]" will be an infinite loop if you're looping through it

    Steve

  12. Thanks to Steve21 from:

    CyberNerd (9th September 2012)

  13. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by Steve21 View Post
    What permissions did it have set on it before you changed it?
    it was a default 2008R2 install

    Quote Originally Posted by Steve21 View Post


    As you can see "Application Data [C:\ProgramData]" will be an infinite loop if you're looping through it
    That's what I found!
    So what permissions am I supposed to change, given that I can't even get into the c:\programdata directory as I just get 'access denied' ?

  14. #11

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,731
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    Quote Originally Posted by CyberNerd View Post
    it was a default 2008R2 install



    That's what I found!
    So what permissions am I supposed to change, given that I can't even get into the c:\programdata directory as I just get 'access denied' ?
    Can't you just do a "This folder only"? Not including subfolders etc, to at least get into the top layer?

    Not really sure, why you'd be locked out, but surely only changing the top layer, and not passing it down inheritance wise would stop the loop? (Only a though, but as always be careful )

    Steve

  15. #12


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by Steve21 View Post
    Can't you just do a "This folder only"? Not including subfolders etc, to at least get into the top layer?

    Not really sure, why you'd be locked out, but surely only changing the top layer, and not passing it down inheritance wise would stop the loop? (Only a though, but as always be careful )

    Steve

    Thanks, I'll give that a try tomorrow

  16. #13


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,477
    Thank Post
    246
    Thanked 2,839 Times in 2,096 Posts
    Rep Power
    817
    Quote Originally Posted by CyberNerd View Post
    So what permissions am I supposed to change
    If your MachineKeys folder already has Read + Write permissions (which it should on a default install of 2008 R2) then you do not have to do anything.



    As you can see from the table below, the special permissions listed in KB278381 for the Everyone group are essentially the same as Read + Write.






    Quote Originally Posted by CyberNerd View Post
    I took ownership, and took away "deny" read for everyone - and it is a recursive link!?!?
    Unless I am imagining things, nowhere in CTX118548 does it mention that you need to mess with the permissions on the ProgramData folder itself. I don't understand why you are doing this?

    The only folder you should be checking is %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys.

    The reason folders such as C:\ProgramData\Desktop have Deny permissions on them is because the UAC File Virtualization Filter Driver (%SystemRoot%\System32\Drivers\Luafv.sys) monitors these folders for "access denied" errors. Whenever a legacy application accesses them, Luafv.sys will redirect the reads and writes to a non-protected location (%LocalAppData%\VirtualStore). Without these permissions in place, you may have issues in the future.

    File-System virtualization
    Vista (and Windows 7) includes the UAC File Virtualization Driver (luafv.sys), which monitors all file operations, but modifies only the destination path for write/read operations on files in system-global locations if an application is deemed to be legacy. It doesn't affect native 64-bit applications, programs run from network shares or applications that have been marked as Vista/Windows 7 compatible with an application manifest.

    System-global locations
    System-global locations are areas of the filesystem and registry that can only be written to or modified by processes running with system or administrative-level privileges. %ProgramFiles%, %ProgramData%, and %SystemRoot% are the system-global locations that luafv.sys monitors for access denied errors generated by legacy applications. (Source)
    File Virtualization
    The file system locations that are virtualized for legacy processes are %ProgramFiles%, %ProgramData%, and %SystemRoot%, excluding some specific subdirectories. However, any file with an executable extension, including .exe, .bat, .scr, .vbs, and others, is excluded from virtualization. This means that programs that update themselves from a standard user account fail instead of creating private versions of their executables that arenít visible to an administrator running a global updater.

    Modifications to virtualized directories by legacy processes are redirected to the userís virtual root directory, %LocalAppData%\VirtualStore. The Local component of the path highlights the fact that virtualized files donít roam with the rest of the profile when the account has a roaming profile. If you navigate in Explorer to a directory containing virtualized files, Explorer displays a button labeled Compatibility Files in its toolbar, as shown in Figure 6-13. Clicking the button takes you to the corresponding VirtualStore subdirectory to show you the virtualized files.

    The UAC File Virtualization Filter Driver (%SystemRoot%\System32\Drivers\Luafv.sys) implements file system virtualization. Because this is a file system filter driver, it sees all file system operations, but it only implements functionality for operations from legacy processes. As shown in Figure 6-14, the filter driver changes the target file path for a legacy process that creates a file in a system-global location but does not for a non-virtualized process with standard user rights. Default permissions on the \Windows directory deny access to the application written with UAC support, but the legacy process acts as though the operation succeeds, when it really created the file in a location fully accessible by the user. (Source)

  17. #14


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by Arthur View Post
    Unless I am imagining things, nowhere in CTX118548 does it mention that you need to mess with the permissions on the ProgramData folder itself. I don't understand why you are doing this?

    The only folder you should be checking is %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys.
    I couldn't get into that directory to even view the permissions - it seems to be mapped to c:\programdata



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 27
    Last Post: 25th January 2007, 04:42 PM
  2. Replies: 3
    Last Post: 4th January 2007, 10:09 PM
  3. Replies: 4
    Last Post: 23rd November 2006, 10:33 PM
  4. read only permissions on server 2K3
    By beeswax in forum Windows
    Replies: 4
    Last Post: 25th April 2006, 02:12 PM
  5. Replies: 16
    Last Post: 10th February 2006, 08:27 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •