ADSM-L

Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a

2013-10-11 15:09:10
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really didn't change... kind'a
From: Dwight Cook <cookde AT COX DOT NET>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 11 Oct 2013 14:07:19 -0500
I believe I'll have to agree with it not being UAC...
Yes, UAC prompts me if I want to allow "Edit Security" to make changes to
the system and that's what got my brain stuck on UAC.
But yes, when I click "Continue" and the system starts inserting my ID into
those millions of objects... it takes a REALLY LONG time :-(
What I just noticed is that on a directory I just gave myself access to, if
I look at "Administrator" (under the security tab on properties), it has
check marks by all the various levels of security BUT they are all grayed
out.
I'm far from a windows admin but it looks like they have somehow set the
default security such that and Administrative id by default has NO rights
but as an Administrator, has the ability to grant themselves rights...
because after I do just that it does in fact insert my ID into everything
from that point down.
This (noticing the grayed out checks) at least gives me a little more to go
back to the Intel support staff with.

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Huebner, Andy
Sent: Friday, October 11, 2013 10:14 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really
didn't change... kind'a

I am going to stick with UAC is the not the issue, if it were to insert your
ID into millions of files as you describe then you could end up waiting
hours for the it to complete, then it would have to remove your ID when you
leave.  What it is really doing is elevating you from User to Administrator
and presenting the Yes/No prompt on a different desktop to prevent malware
from elevating itself.

What you might try is using icacls to dump the security of a sample, then
when you see the large backup occur again dump and compare.

Do you also have AMD Admins?

Andy Huebner

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Dwight Cook
Sent: Thursday, October 10, 2013 10:00 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really
didn't change... kind'a

What is happening when I click on "OK" when it prompts me if I want to give
myself rights is, ~it~ is going into every file and folder and inserting my
user id under the security tab of properties and explicitly giving me full
control.  Based on what our Intel Admins have told me, I made the assumption
~it~ was UAC because they told me it was UAC asking me if I want to continue
with the operation (to simply view the folder) because I currently don't
have explicit authority, I only have implied authority by my user id being
an ~administrative~ id.
There is another product within this environment, Zylab, which I'm clueless
on but our local Intel Admins don't believe Zylab would be the cause.
The situation is very easy to recreate... all I have to do is go out to a
volume that I've never looked before (thus I won't have explicit permission
to) and double click on it to open it... at that time ~something~ tells me I
currently don't have rights do perform that operation and would I like to
give myself rights (since my id is an administrative id I have the authority
to do that) and I click "OK" and as I mentioned above, ~it~ goes in and
inserts my user id explicitly on every file/folder thus "changing" it and
tsm then backs it up next cycle.
It is also the case that it behaves this way for any/all admins and in
looking at the security tab I see a whole list of various admins explicitly
listed.
Could this be a configuration setting of UAC?  (to make it put explicit
permissions on the files)

Dwight

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Huebner, Andy
Sent: Thursday, October 10, 2013 4:16 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] Win2008 with UAC and backing up files that really
didn't change... kind'a

I believe you have something else happening.  If that option was changing
the ACLs of millions of files you would be very aware of that happening.
"administrative" rights are not unlike sudo in Unix, you are assuming the
identity of a more powerful user.

It is not uncommon for admins here to do what you describe without the
results you describe.

Andy Huebner


-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Dwight Cook
Sent: Thursday, October 10, 2013 2:20 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Win2008 with UAC and backing up files that really didn't
change... kind'a

OK, so I have a file server with 6 volumes each of 2.5 TB's and each with
1-2.5M files on them.

Under Win2008 there is this ~funk~ called UAC such that an "administrative"
id has effective permissions to everything but not really any direct
permission.

That is, if I go into this server and under explorer I click on the top
directory on one of the volumes it says "you don't have rights to view this,
do you want to grant yourself rights?" and when I click "OK" windows goes
out and gives my userid direct permissions to all subfolders and files. BUT.
that is a change to the permissions of every directory and file and next
incr backup, TSM backs up everything. yes, sometimes 2.5M files at 2.5 TB's
just because some admin clicked "OK" on giving themselves permission to view
things at the top folder level.



Is anyone else seeing this?



Dwight