login vsi company logo login vsi company logo 250x40

User Account Control Impact on File Access

User Account Control Impact on File Access

In providing Login VSI Support to our customers with complex virtualized desktop environments, we often come across issues that are indirectly related to our product. User Account Control (UAC), and how it affects file access, is one such issue. I'd like to share some insights on this topic, with the goal of helping Login VSI customers succeed in their virtualized desktop implementations.

UAC is a mechanism that was introduced by Microsoft in Windows Vista that is intended to make administrator accounts more secure. The administrator account has (when UAC is enabled) 2 tokens.

A token is a Windows internal structure that describes the rights and permissions for a user or even a program.

Of the two tokens, one has normal User permissions and the other has Administrator permissions. In practice, this means that the non-administrator token has deny permission on the Administrator account and group. Look at the screenshots below. The first screenshot shows cmd.exe while it was explicitly run as Administrator by right clicking it and choosing to run it as Administrator.

cdmd.exe as administrator

The second screenshot shows the token for a non-elevated cmd.exe instance. These are the permissions an application gets when the application is run on a UAC-enabled system without explicitly running the application as an Administrator.

non-elevated cdm.exe instance

As you can see, this token has explicit deny permission on the Administrator group. This can result in some unexpected behavior. Imagine you have an account that is member of the Administrator’s group. You try to secure a folder by only allowing the Administrator group access to the folder.

only allow administrator group access

Since your user account is member of the Administrators group, it should be able to access the folder right? Wrong, the non-elevated instance of cmd.exe is unable to access the directory.

administrator access is denied

The elevated user however does have access to the files.

elevated user does have access

Needless to say, this can be confusing to our customers, as they have made the user account a member of the administrator group. But since UAC puts an explicit deny on the administrators group, it means that the user will not have access unless the process is elevated (in other words, uses the administrator token). We hope you keep this in mind when troubleshooting access issues, whether those problems are Login VSI related or not.

About the author

Dennis Geerlings started at Login VSI about 4 years ago and worked as a consultant within Login Consultants. He supported multiple customers in migration projects. Presently, Dennis is support manager and lead consultant at Login VSI. In these roles he supports customers and partners in the US and Canada, co-develops the Login VSI product, and serves as a pre-sales engineer for enterprise customers. 


Tags: How-to, Login VSI, Load Testing, Best Practices, Support

Popular Blogs

Windows Virtual Desktop - Update - December 2019

Windows Virtual Desktop Enhanced in the Latest Update

A lot has already been written about WVD in the last months. And while I had my initial concerns on this service many people are suggesting that they are willing to move to a platform like WVD in the next two years. Continue Reading
Login VSI - Press Release - Login VSI Releases Login Enterprise 4.0

[Press Release] Login VSI Releases Login Enterprise 4.0

Login VSI Releases Login Enterprise 4.0 New Application Load Testing Functionality Maximizes End-User Experience Continue Reading
Login VSI and Ymor Form Partnership to Deliver Performance Improvement to Business-Critical Applications

[Press Release] Login VSI and Ymor Form Partnership to Deliver Performance Improvement to Business-Critical Applications

The partnership offers a total solution for enterprise organizations to monitor and test business-critical applications from end-to-end via VDI or in the Cloud. Ymor offers various monitoring solutions, used to test and monitor the performance of critical business chains from end-to-end. In VDI environments, Ymor can now offer the monitoring solutions of Login VSI. Continue Reading
[Press Release] IGEL Expands Alliance with Login VSI; Integrates Login Enterprise into IGEL OS 11.03

[Press Release] IGEL Expands Alliance with Login VSI

Integrating Login Enterprise into IGEL OS 11.03 The combined solution enables IT organizations to leverage their IGEL infrastructure to continuously test the performance and availability of virtual and cloud workspaces. Continue Reading
Login VSI - Validating Your Remote Infrastructure at Scale - Man at Desk

Enabling Your Remote Workforce

Given recent global events, a majority of my users may need to work remotely. Many of our customers have been asking us if we can help them test the user-experience for their remote workforce, as well as the infrastructure that delivers it. We have seen requests range from the quality of the remote user-experience to the ability of their VPN to handle the throughput of a large volume of concurrent connections. Continue Reading
Login VSI Releases Login Enterprise 4.1

[Press Release] Login VSI Releases Login Enterprise 4.1

Login VSI Releases Login Enterprise 4.1 Comprehensive Testing Platform Ensures Business Continuity Continue Reading