login vsi company logo login vsi company logo 250x40
header-01.jpg

User Account Control Impact on File Access

User Account Control Impact on File Access

In providing Login VSI Support to our customers with complex virtualized desktop environments, we often come across issues that are indirectly related to our product. User Account Control (UAC), and how it affects file access, is one such issue. I'd like to share some insights on this topic, with the goal of helping Login VSI customers succeed in their virtualized desktop implementations.

UAC is a mechanism that was introduced by Microsoft in Windows Vista that is intended to make administrator accounts more secure. The administrator account has (when UAC is enabled) 2 tokens.

A token is a Windows internal structure that describes the rights and permissions for a user or even a program.

Of the two tokens, one has normal User permissions and the other has Administrator permissions. In practice, this means that the non-administrator token has deny permission on the Administrator account and group. Look at the screenshots below. The first screenshot shows cmd.exe while it was explicitly run as Administrator by right clicking it and choosing to run it as Administrator.

cdmd.exe as administrator

The second screenshot shows the token for a non-elevated cmd.exe instance. These are the permissions an application gets when the application is run on a UAC-enabled system without explicitly running the application as an Administrator.

non-elevated cdm.exe instance

As you can see, this token has explicit deny permission on the Administrator group. This can result in some unexpected behavior. Imagine you have an account that is member of the Administrator’s group. You try to secure a folder by only allowing the Administrator group access to the folder.

only allow administrator group access

Since your user account is member of the Administrators group, it should be able to access the folder right? Wrong, the non-elevated instance of cmd.exe is unable to access the directory.

administrator access is denied

The elevated user however does have access to the files.

elevated user does have access

Needless to say, this can be confusing to our customers, as they have made the user account a member of the administrator group. But since UAC puts an explicit deny on the administrators group, it means that the user will not have access unless the process is elevated (in other words, uses the administrator token). We hope you keep this in mind when troubleshooting access issues, whether those problems are Login VSI related or not.

About the author

Dennis Geerlings started at Login VSI about 4 years ago and worked as a consultant within Login Consultants. He supported multiple customers in migration projects. Presently, Dennis is support manager and lead consultant at Login VSI. In these roles he supports customers and partners in the US and Canada, co-develops the Login VSI product, and serves as a pre-sales engineer for enterprise customers. 


Tags: How-to, Login VSI, Load Testing, Best Practices, Support

What our customers are saying

Maarten Bruijnesteijn - PPG

"We are using Login VSI for hardware scaling. By testing the number of users that can run on our environment, we know the amount of hardware that we will need upfront. We also use Login VSI in our production acceptance process to test changes to the system to evaluate changes to the environment."

Maarten Bruijnesteijn, System Software Analyst at PPG Industries


Dan O'Farrell - Dell

"The primary goal of our VDI appliances is to simplify and to take the guesswork out of VDI, and the Login VSI tests help us to do that from a performance expectation capability. When we offer one of our appliances to our customers, we deliver benchmarks that are validated using multiple Login VSI workloads. When compared to a customer’s workload, these Login VSI-enabled benchmarks allow precise sizing estimations to be created."

Dan O'Farrell, Director, Product Marketing, Cloud & Client at Dell


Manoj Doshi - Aetna

"Login VSI gives you a true picture of performance in your environment, whether you’ve built it right or need to make changes. When you don’t have room for mistakes, Login VSI provides you with the confidence and assurance that the environment is going to work."

Manoj Doshi, Director - Client Technology Innovation at Aetna

Login VSI, Inc.

300 Tradecenter

Suite 3460
Woburn, MA 01801

Phone: +1 844 828 3693

Login VSI B.V.

De Entree 85
1101 BH Amsterdam
The Netherlands

Phone: +31 20 705 1200