login vsi company logo login vsi company logo 250x40

 

Get the best possible VDI performance, density and availability with Login VSI
Our Solutions

User Account Control Impact on File Access

User Account Control Impact on File Access

In providing Login VSI Support to our customers with complex virtualized desktop environments, we often come across issues that are indirectly related to our product. User Account Control (UAC), and how it affects file access, is one such issue. I'd like to share some insights on this topic, with the goal of helping Login VSI customers succeed in their virtualized desktop implementations.

UAC is a mechanism that was introduced by Microsoft in Windows Vista that is intended to make administrator accounts more secure. The administrator account has (when UAC is enabled) 2 tokens.

A token is a Windows internal structure that describes the rights and permissions for a user or even a program.

Of the two tokens, one has normal User permissions and the other has Administrator permissions. In practice, this means that the non-administrator token has deny permission on the Administrator account and group. Look at the screenshots below. The first screenshot shows cmd.exe while it was explicitly run as Administrator by right clicking it and choosing to run it as Administrator.

cdmd.exe as administrator

The second screenshot shows the token for a non-elevated cmd.exe instance. These are the permissions an application gets when the application is run on a UAC-enabled system without explicitly running the application as an Administrator.

non-elevated cdm.exe instance

As you can see, this token has explicit deny permission on the Administrator group. This can result in some unexpected behavior. Imagine you have an account that is member of the Administrator’s group. You try to secure a folder by only allowing the Administrator group access to the folder.

only allow administrator group access

Since your user account is member of the Administrators group, it should be able to access the folder right? Wrong, the non-elevated instance of cmd.exe is unable to access the directory.

administrator access is denied

The elevated user however does have access to the files.

elevated user does have access

Needless to say, this can be confusing to our customers, as they have made the user account a member of the administrator group. But since UAC puts an explicit deny on the administrators group, it means that the user will not have access unless the process is elevated (in other words, uses the administrator token). We hope you keep this in mind when troubleshooting access issues, whether those problems are Login VSI related or not.

 


 

Start using Login VSI today

Our industry-standard software is built to help you avoid problems, lower costs and improve performance. Request a Quote or get your free Trial below, and benefit from our award-winning services.

Free Price Request  Your Free Trial

 


About the company Login VSI

The company Login VSI provides end-user performance insights for virtualized desktop and server-based computing environments. Enterprise IT departments use flagship product Login VSI (for load testing) and Login PI (for continuity testing) in all phases of their virtual desktop deployment—from planning to deployment to change management—to build and safeguard a good performance, a high availability, and (as a result) a good and consistent end-user experience. For more information about Login VSI or for a free test license contact us.

Tags: How-to, Login VSI, Load Testing, Best Practices, Support

Popular Blogs

Login VSI Blog - Ongoing Effects CPU Flaws

The Ongoing Effects of Intel CPU Flaws

The Ongoing Effects of Intel CPU Flaws Over the last year, we’ve seen many Intel CPU hardware flaws come to light and when news first broke about Meltdown & Spectre there was a lot of panic: "should we patch?", "What’s the performance impact?", "Can we still rely on this hardware?" Continue Reading
Login VSI Blog - Updating to Windows 10 1903? Make Sure to Test!

Updating to Windows 10 1903? Make Sure to Test!

Updating to Windows 10 1903? Make Sure to Test! It’s that time of the year again. Microsoft have released their spring update and the first IT-Pro’s are getting ready to move their VDI environment over. Continue Reading
Login AT Express offers Application Compatibility Testing for up to 50 applications for FREE

[Press Release] Login VSI introduces free license for award winning solution, Login AT

Login AT Express offers Application Compatibility Testing for up to 50 applications for FREE Atlanta, USA, May 22, 2019: Login VSI, the industry standard for VDI and SBC performance testing, announced today the availability of a new, free version of Login AT for Bulk Application Compatibility Testing. Continue Reading
Login VSI Blog - LVTE 2109 - Technology Advocates & Experts

Login VSI Technology Advocates and Experts 2019

About a year ago Login VSI, the industry standard in VDI performance testing, announced a new program Recognizing those individuals that have built and displayed extensive knowledge of the Login VSI software solutions, and visibly contribute to the End-User Computing (EUC) Community. Continue Reading
Introducing Login PI 3.4

Introducing Version 3.4 of Login PI

What’s New & Different - Introducing Version 3.4 of Login PI We've updated Login PI, the benchmark in unplanned-change and gradual-deterioration detection for VDI. New features include improving the way information is collected & distributed, the way customized workloads are created & the way actual tests are executed. Continue Reading
Login VSI Blog - What's New in Login PI 3.5

What's New in Login PI 3.5?

What's New in Login PI 3.5? Netscaler, SLA Reporting, Event Logging features and so much more! At the end of June, we released a new version of Login PI 3 bursting with new features and enhancements. There are so many that I could write pages of blog about it, but let’s just keep it simple and focus on some of the big items. Continue Reading
Cookie Settings