As a member of the 'Administrators' group on Windows 7 (not in a domain), I launch explorer with admin rights (ctrl-shift). User profile folders on the system disk (like 'c:\users\murray') have 'Administrators' listed with 'full control'.
However I get 'access denied' when I try to open them. So on these folders we can't utilize the 'list folder / read data' right of our group's permission, but can only add a new, redundant permission entry for our user to be able to read data.
I'd expect users to have access on a folder their group has permissions on, without adding a permission entry for each member. I find it inappropriate because the way it works will result in numerous additional entries on some special folders over time (profile folders in our case).
So; what blocks the existing 'list folder / read data' permission of 'Administrators' members to these folders and where is this rule stored? Perhaps it's related with the 'simple' file sharing, ntfs junction points, UAC, or system policies?
Best Answer
The Answer
The final answer it is control by UAC. If you don't want to be prompted then turn off UAC. Which is basically the 'toggle' that was asked about. This has been confirm though testing. Not to mention the UAC Shield Icon, that is on the Continue button when trying to access the folder, should have given it away from the beginning.
When clicking on a install/setup application or opening an application that requires admin access, the UAC prompt opens and ask for permission. Access a user folder isn't different. You need admin permissions just like installing an application. The only difference is, with UAC on, the accessing user will be added to the ACL of the user's profile folder. Which isn't the case when UAC is toggled off.
The reason for Microsoft change towards UAC is found with in this document: Understanding and Configuring User Account Control in Windows Vista. I know it says Vista, but they're one in the same when it comes to UAC. It seems it all comes down to the way UAC works.
The Fix...
I believe this will fix the issue. I can not be sure since I don't have the ability to test it out at this time. Please be careful and remember revert it back. You can open Command Prompt in Admin Mode, then type in the following :.net user administrator /active:yes. Please reverse this action by changingyestonowhen finish doing what you need to do. This will help with securityThe only fix is to turn off UAC.