login vsi company logo login vsi company logo 250x40

 

Get the best possible VDI performance, density and availability with Login VSI
Our Solutions

Warning

JUser: :_load: Unable to load user with ID: 17524

User Account Control Impact on File Access

User Account Control Impact on File Access

In providing Login VSI Support to our customers with complex virtualized desktop environments, we often come across issues that are indirectly related to our product. User Account Control (UAC), and how it affects file access, is one such issue. I'd like to share some insights on this topic, with the goal of helping Login VSI customers succeed in their virtualized desktop implementations.

UAC is a mechanism that was introduced by Microsoft in Windows Vista that is intended to make administrator accounts more secure. The administrator account has (when UAC is enabled) 2 tokens.

A token is a Windows internal structure that describes the rights and permissions for a user or even a program.

Of the two tokens, one has normal User permissions and the other has Administrator permissions. In practice, this means that the non-administrator token has deny permission on the Administrator account and group. Look at the screenshots below. The first screenshot shows cmd.exe while it was explicitly run as Administrator by right clicking it and choosing to run it as Administrator.

cdmd.exe as administrator

The second screenshot shows the token for a non-elevated cmd.exe instance. These are the permissions an application gets when the application is run on a UAC-enabled system without explicitly running the application as an Administrator.

non-elevated cdm.exe instance

As you can see, this token has explicit deny permission on the Administrator group. This can result in some unexpected behavior. Imagine you have an account that is member of the Administrator’s group. You try to secure a folder by only allowing the Administrator group access to the folder.

only allow administrator group access

Since your user account is member of the Administrators group, it should be able to access the folder right? Wrong, the non-elevated instance of cmd.exe is unable to access the directory.

administrator access is denied

The elevated user however does have access to the files.

elevated user does have access

Needless to say, this can be confusing to our customers, as they have made the user account a member of the administrator group. But since UAC puts an explicit deny on the administrators group, it means that the user will not have access unless the process is elevated (in other words, uses the administrator token). We hope you keep this in mind when troubleshooting access issues, whether those problems are Login VSI related or not.

About the author

Tags: How-to, Login VSI, Load Testing, Best Practices, Support

Popular Blogs

Login VSI - Press Release - IGEL - Login VSI Partner to Optimize End User Computing Experience Image

[Press Release] IGEL Partners with Login VSI to Optimize the End User Computing Experience

Login PI enables organizations to better protect the performance and availability of their IGEL OS-powered virtual desktop environments Continue Reading
Login VSI - Blog - Login PI Blog Teaser Image - Windows Virtual Desktop: How To Monitor User Experience With Login PI

Windows Virtual Desktop – How to Monitor User Experience?

Microsoft has just announced the public preview of their new Windows Virtual Desktop (WVD) offering at Microsoft Ignite on Tour in Amsterdam today. For those of you who’ve not followed the rumors or the private beta, here’s the outline... Continue Reading
Login VSI Blog - Teaser Image - A Practical Guide to VDI Change Management - Part 1

A Practical Guide to VDI Change Management

Part 1: IT Change Management in general The first in an 8-part series, this practical guide to VDI Change Management will guide you through the transformation of the IT department from a back-end function into a core competency for every modern organization. Continue Reading
Investigating Online Application Performance with Login PI

Investigating Online Application Performance with Login PI

As many companies do, we use a CRM system. Recently, I have been getting complaints about our cloud CRM system, Microsoft Dynamics, being slow. I tried to investigate this by shadowing one of our users to see what was wrong. Continue Reading
Login VSI Blog - How-To Update, Protect Against RIDL, Fallout MDS Vulnerability

How-To: Update, Protect Against RIDL, Fallout MDS Vulnerability

RIDL & Fallout MDS vulnerabilities, impact on VDI performance & actions to take. FAQs we’re receiving & updates on performance tests executed to patch flaws Intel calls “Microarchitectural Data Sampling (M.D.S.)” aka: Rogue In-Flight Data Load (RIDL), Fallout, ZombieLoad & Store-to-Leak Forwarding. Continue Reading
Login VSI -Blog Post - IGEL Partner with Login VSI

Login PI & IGEL: Delivering Deep Application Test & Availability Monitoring

Together Login VSI and IGEL deliver deep application test and availability monitoring for the digital workspace This week we announced a partnership with IGEL that enables Login PI integration in a radical new way. Continue Reading
Cookie Settings