Guest PMcG Posted October 9, 2008 Posted October 9, 2008 Hello, I'm currently trying to save a powershell global profile on a Vista SP1 machine and getting a failure, I would appreciate anybody's help with understanding this failure Some background I have a domain account that is a member of a domain local group who in turn is a member of the local administrators role on the machine. I would expect this to allow me to act with full administrative privileges on the box. I verified that I can add a local user and this was successful. When attempting to save the global powershell shell profile @ C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 using notepad I get the following error "Cannot create the C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 file. Make sure that the path and file name are correct." I then tried to use sysinternals handle utility to see if I could view information on the file access failure but I get "Initialization error: Make sure that you are an administrator." I have spent some time searching on the web without any success. Thanks in advance Pat Quote
Guest Jon Wallace Posted October 9, 2008 Posted October 9, 2008 Hey Pat, This could be a case of UAC kicking in. Regardless of whether you are an administrator (local) or not, UAC will in essense take away your admin rights and offer you the chance to use them where required. The problem is that these propmpts happen for known operations such as starting MMC.EXE. If you are failing to access a path, it may be down to the fact that notepad.exe just doesn't have admin rights because they're been taken off you.. Try right-clicking on notepad and use the run as administrator option, or if you wish, disable UAC (within user accounts in control panel). Personally I like UAC but you may want to disable it it you are doing admin tasks all the time. Let me know if this doesn't help... Regards, Jon http://www.insidetheregistry.com --- "PMcG" <PMcG@discussions.microsoft.com> wrote in message news:755ED913-387B-4E5F-BCCB-52993B551AA7@microsoft.com...<span style="color:blue"> > Hello, > I'm currently trying to save a powershell global profile on a Vista SP1 > machine and getting a failure, I would appreciate anybody's help with > understanding this failure > > Some background > I have a domain account that is a member of a domain local group who in > turn > is a member of the local administrators role on the machine. I would > expect > this to allow me to act with full > administrative privileges on the box. I verified that I can add a local > user > and this was successful. > > When attempting to save the global powershell shell profile @ > C:WINDOWSsystem32WindowsPowerShellv1.0Microsoft.PowerShell_profile.ps1 > using notepad I get the following error > "Cannot create the > C:WINDOWSsystem32WindowsPowerShellv1.0Microsoft.PowerShell_profile.ps1 > file. Make sure that the path and file name are correct." > > I then tried to use sysinternals handle utility to see if I could view > information on the file access failure but I get "Initialization error: > Make > sure that you are an administrator." > > I have spent some time searching on the web without any success. > > > > Thanks in advance > Pat > </span> Quote
Guest PMcG Posted October 9, 2008 Posted October 9, 2008 Jon, Thanks for the reply, your suggestion to explicitly start notepad as the admin user works. Just adding some more information just in case somebody else has similar issues. I normally run as a non admin user on the machine and only escalate to the admin user when I need to. I keep a seperate powershell shell running as this admin user and run any admin commands using this instance, so to edit the global profile i will run the following command "notepad C:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1" which fails as I indicated below when I try to save my changes. As you indicated this notepad process needs some further escalation due to UAC, so my only way to acheive this is to disable UAC ? I too would prefer not to disable UAC which means i may face similar situations, i tried using handle by right clicking and running as administrator with success. This probably means that my previous approach of running an admin shell will not always work. Thanks Pat "Jon Wallace" wrote: <span style="color:blue"> > > Hey Pat, > > This could be a case of UAC kicking in. Regardless of whether you are an > administrator (local) or not, UAC will in essense take away your admin > rights and offer you the chance to use them where required. The problem is > that these propmpts happen for known operations such as starting MMC.EXE. > > If you are failing to access a path, it may be down to the fact that > notepad.exe just doesn't have admin rights because they're been taken off > you.. > > Try right-clicking on notepad and use the run as administrator option, or if > you wish, disable UAC (within user accounts in control panel). > > Personally I like UAC but you may want to disable it it you are doing admin > tasks all the time. > > Let me know if this doesn't help... > > Regards, > Jon > > http://www.insidetheregistry.com > > --- > > "PMcG" <PMcG@discussions.microsoft.com> wrote in message > news:755ED913-387B-4E5F-BCCB-52993B551AA7@microsoft.com...<span style="color:green"> > > Hello, > > I'm currently trying to save a powershell global profile on a Vista SP1 > > machine and getting a failure, I would appreciate anybody's help with > > understanding this failure > > > > Some background > > I have a domain account that is a member of a domain local group who in > > turn > > is a member of the local administrators role on the machine. I would > > expect > > this to allow me to act with full > > administrative privileges on the box. I verified that I can add a local > > user > > and this was successful. > > > > When attempting to save the global powershell shell profile @ > > C:WINDOWSsystem32WindowsPowerShellv1.0Microsoft.PowerShell_profile.ps1 > > using notepad I get the following error > > "Cannot create the > > C:WINDOWSsystem32WindowsPowerShellv1.0Microsoft.PowerShell_profile.ps1 > > file. Make sure that the path and file name are correct." > > > > I then tried to use sysinternals handle utility to see if I could view > > information on the file access failure but I get "Initialization error: > > Make > > sure that you are an administrator." > > > > I have spent some time searching on the web without any success. > > > > > > > > Thanks in advance > > Pat > > </span> > > </span> Quote
Guest Mr. Arnold Posted October 10, 2008 Posted October 10, 2008 "PMcG" <PMcG@discussions.microsoft.com> wrote in message news:98A289ED-8BE1-4727-A8B2-B6DFD21A2CF3@microsoft.com...<span style="color:blue"> > Jon, > Thanks for the reply, your suggestion to explicitly start notepad as the > admin user works. Just adding some more information just in case somebody > else has similar issues. > > I normally run as a non admin user on the machine and only escalate to the > admin user when I need to.</span> Well, the same thing happens for user/admin with UAC enabled. The user/admin has two access tokens assigned to it. One access token assigned is the admin full rights token. The other access token assigned is the Standard user token, which is the default assigned to user/admin. User/admin must be escalated to use the full rights admin token, which is valid only at the moment of escalation, and then the user/admin is returned to the Standard rights token. It's being talked about in the links as to what is happening with a user/admin and Standard user on Vista with UAC enabled. http://technet.microsoft.com/en-us/library/cc709691.aspx http://news.softpedia.com/news/Admin-Appro...sta-45312.shtml http://technet.microsoft.com/en-us/magazine/cc138019.aspx http://technet.microsoft.com/en-us/magazine/cc160882.aspx <span style="color:blue"> >I keep a seperate powershell shell running as this > admin user and run any admin commands using this instance, so to edit the > global profile i will run the following command "notepad > C:WINDOWSsystem32WindowsPowerShellv1.0Microsoft.PowerShell_profile.ps1" > which fails as I indicated below when I try to save my changes.</span> So you take ownership of the file or folder with an user group account such as Administrtors or a your indiviual user account with either one of them having full control. http://www.nirmaltv.com/2008/07/11/how-to-...lders-in-vista/ Here is the kicker, C:\Program Files and C:\Windows are protected folder and folders and files with in those folders are protected. You'll notice this if you go to some to the folders and try to add a new account to the folder to give permissions for the account, change permissions for an existing account or delete an account off on the folders. You can't do it, even as Admin. About the only thing you can do is take ownership You can make a new folder and add user accounts, change, and delete user accounts on that folder. I'll get to this a little later. <span style="color:blue"> > > As you indicated this notepad process needs some further escalation due to > UAC, so my only way to acheive this is to disable UAC ?</span> No, you can leave UAC enabled and use this account, which has full rights at all times, because its privileges are already escalated automatically, UAC doesn't prompt that account, and it doesn't need Run as Administrator. http://www.howtogeek.com/howto/windows-vis...-windows-vista/ You can also get permissions set for user/admin to circumvent permission conflict, because Vista, UAC and NTFS look at you being part of the Administrator group and your individual user account permissions combined. <span style="color:blue"> > I too would prefer not to disable UAC which means i may face similar > situations, i tried using handle by right clicking and running as > administrator with success. ></span> Here is a something you can do to see what is happening on permissions conflict for user/admin on Vista. 1) Go to the Program Files and create a new directory call it Test . Vista should allow you to create the directory even as you being Admin on the machine. 2) Start Notepad enter some text and try to SaveAs with the file to Program Files/Test. You should get permission denied. Yeah, you're getting it even if the account you're using is your Admin account. 3) Come out of Notepad, forget the save, and cancel out of Notepad. 4) Go to the directory and to the Security tab for the directory and add a new account to the security account list. It's going to be the User account you login to the computer with as Admin. If you login with PMcG as admin on the machine, then you're going to add PMcG as another account the will have access to the directory. 5) You'll set PMcG to have Full Control just as Administrators has Full Control of the folder. 6) Go back to step # 2 with Notepad and try to SaveAs the file to Program Files\Test. You should be able to save the file. Hopefully, you'll see the issue of account permissions conflict for the user/admin on Vista. On one hand, your account is in the Administrators group account. But on the other hand, your account is part of the User group account. If your user account PMcG is not on the folder with the same rights as as Administrators, there is going to be a permissions conflict, because Vista with UAC enabled is looking at the combined rights of those two accounts in some situations. What Vista defaults to is Users account group permissions on the directory if it doesn't see your individual user account on the folder, and Users doesn't have Full Control. This is because on Vista with UAC enabled, a user/admin on Vista is not an Admin with Full rights, like it is on XP or Win 2k. So, if you add your user account to <c> with full rights, then it will show as an account you can use to take ownership of folders or files. BTW, built-in Administrator can't do anything on Program Files and C:\Windows but allow you to take ownership. Also, even if disable UAC, user/admin the one you get from Vista out of the box or any new user/admin accounts will never have full admin rights, because those accounts don't inherit full admin rights from the Administrator account, like it does on XP. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.