Yesterday I noticed that my regular account (Stand User) on Windows 7 is able to access the Admin folder without a UAC prompt, this means anyone using my account can see the contents of that folder without giving the Admin password. Here's the image: https://i.imgur.com/jXej46e.jpg What happened? I never changed the permissions of the Admin's folder. The "Admin" account is the first account I create after installing WIndows (in that "Insert a username, example John" screen). Then I set up a password for it, then create the "Amarildo" account (standard account).
CRAP! I removed my permissions, but was unable to do so https://i.imgur.com/zAjgv0A.jpg Then for some reason UAC is asking for permissions to access that folder. But now that "TEMP" Folder/Account appeared. Dammit! https://www.wilderssecurity.com/threads/getting-tired-of-this.391148/
Check the ownership of the folder. It should be the admin account or group administrators. The permissions look right in the second image and trying to access it from a standard account should give a UAC prompt and you should have full access from the admin account. Also verify group membership of "admin" and "amarildo".
This is such a mess, describing what I just did wouldn't help and would just confuse everybody But I kinda got back where I started: My standard account has full access to the Admin folder. If I try to change the permissions but cancel when the error appears, the Temp problem will reappear. Here's where I decided to leave it as it is: If I click "Continue" on all errors until I can actually remove my permissions, than UAC will prompt if I try to access that folder (which is the correct behavior); However, if I do access that folder, I'll have full control over it again, for some reason So that is it. I won't try to access that folder anymore, UAC will prompt me if I ever try to access it (but I won't), and no temporary profiles should be created anymore. I hate programmers Somebody messed it up and now this happens.
Once you allow access from a UAC prompt, it stays. That is where the permissions for the armarildo account came from. The best way to keep the permissions is to only access the admin account folder when logged on as admin. Unfortunately, windows doesn't allow more than one instance of Windows Explorer to run at once from one account so you can't use Windows Explorer as an administrator logged on to a standard account. All the other software on the system can be be launched as an administrator from a standard account. I usually start an administrator command prompt to do any administrative functions when I'm working from a standard account.
@MisterB Thanks, but are you sure? I don't remember it being this way Once I left the directory, UAC would prompt again for the admin password if I tried to access the directory. That's how I remember, at least.
Thinking about it a bit more and checking default permissions on one of my Windows 7 boxes, now I see why this happened to you but doesn't always happen. Windows treats default permissions in the "Users" folder differently and doesn't automatically add the group "users" to the folders created for new users. So when you allow the UAC prompt, Windows adds you to the permissions of that folder and gives you full control. I just tried it and that is exactly what it did. In most folders the users group has some sort of access so there is no need to add a user individually to give access. Playing around a bit, I found a work around. If you leave amarildo as a user and set all permissions to deny, it will not let you in and you will get a permission denied message after allowing the UAC prompt. It will work best if you are fully logged onto the admin account to change permissions. Then you won't get the permission denied messages. Some files have permissions have to be changed by the owner of the folder and another user with elevated privilege will get the error messages. The problem seems to be when you do not exist at all in the folders permissions and Windows grants you access through UAC.
This is by design. If you click on "Continue" , ACL's are changed: I would use a different filemanager for accessing such folders:
Thanks. I'm encrypting my drive with VeraCrypt ATM but I'll try it as soon as it's done. I was actually considering this. Thanks.
