ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a

2013-10-11 11:16:47
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a
From: "Huebner, Andy" <andy.huebner AT ALCON DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 11 Oct 2013 15:13:42 +0000 
I am going to stick with UAC is the not the issue, if it were to insert your ID 
into millions of files as you describe then you could end up waiting hours for 
the it to complete, then it would have to remove your ID when you leave.  What 
it is really doing is elevating you from User to Administrator and presenting 
the Yes/No prompt on a different desktop to prevent malware from elevating 
itself.

What you might try is using icacls to dump the security of a sample, then when 
you see the large backup occur again dump and compare.

Do you also have AMD Admins?

Andy Huebner

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Dwight Cook
Sent: Thursday, October 10, 2013 10:00 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't 
change... kind'a

What is happening when I click on "OK" when it prompts me if I want to give 
myself rights is, ~it~ is going into every file and folder and inserting my 
user id under the security tab of properties and explicitly giving me full 
control.  Based on what our Intel Admins have told me, I made the assumption 
~it~ was UAC because they told me it was UAC asking me if I want to continue 
with the operation (to simply view the folder) because I currently don't have 
explicit authority, I only have implied authority by my user id being an 
~administrative~ id.
There is another product within this environment, Zylab, which I'm clueless on 
but our local Intel Admins don't believe Zylab would be the cause.
The situation is very easy to recreate... all I have to do is go out to a 
volume that I've never looked before (thus I won't have explicit permission
to) and double click on it to open it... at that time ~something~ tells me I 
currently don't have rights do perform that operation and would I like to give 
myself rights (since my id is an administrative id I have the authority to do 
that) and I click "OK" and as I mentioned above, ~it~ goes in and inserts my 
user id explicitly on every file/folder thus "changing" it and tsm then backs 
it up next cycle.
It is also the case that it behaves this way for any/all admins and in looking 
at the security tab I see a whole list of various admins explicitly listed.
Could this be a configuration setting of UAC?  (to make it put explicit 
permissions on the files)

Dwight

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Huebner, Andy
Sent: Thursday, October 10, 2013 4:16 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't 
change... kind'a

I believe you have something else happening.  If that option was changing the 
ACLs of millions of files you would be very aware of that happening.
"administrative" rights are not unlike sudo in Unix, you are assuming the 
identity of a more powerful user.

It is not uncommon for admins here to do what you describe without the results 
you describe.

Andy Huebner


-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Dwight Cook
Sent: Thursday, October 10, 2013 2:20 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Win2008 with UAC and backing up files that really didn't 
change... kind'a

OK, so I have a file server with 6 volumes each of 2.5 TB's and each with 
1-2.5M files on them.

Under Win2008 there is this ~funk~ called UAC such that an "administrative"
id has effective permissions to everything but not really any direct permission.

That is, if I go into this server and under explorer I click on the top 
directory on one of the volumes it says "you don't have rights to view this, do 
you want to grant yourself rights?" and when I click "OK" windows goes out and 
gives my userid direct permissions to all subfolders and files. BUT.
that is a change to the permissions of every directory and file and next incr 
backup, TSM backs up everything. yes, sometimes 2.5M files at 2.5 TB's just 
because some admin clicked "OK" on giving themselves permission to view things 
at the top folder level.



Is anyone else seeing this?



Dwight
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a, Allen S. Rout
Next by Date:  [ADSM-L] AW: File Pool, Michael malitz
Previous by Thread:  Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a, Allen S. Rout
Next by Thread:  Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a, Dwight Cook
Indexes:  [Date] [Thread] [Top] [All Lists]