Am I an Administrator on Vista? No really am I?

January 15, 2007 @ 4:51 pm- from Maui, Hawaii

I’m having a bad hair day. Man, am I frustrated with Vista security today. So in my last post I mentioned that I had problems with my SQL Server not recognizing my login as an administrator login. Well, after some more checking I think I can see that my account is not really an Administrative account.

It’s ridiculously hard to trouble shoot this and actually determine what your account status is. Vista itself shows everything as if my account was an administrative account, but (as shown below) it looks like the system itself doesn’t see me as an Administrator. So how do you tell whether you are REALLY an administrator or not?

It seems I’m an administrative user: I can run admin tasks like bringing up the Services panel or Device Manager or running IIS Service manager. If I run WHOAMI I get:

GROUP INFORMATION

-----------------

Group Name Attributes

====================================== ==================================================

Everyone Mandatory group, Enabled by default, Enabled group

RASVISTA\Debugger Users Mandatory group, Enabled by default, Enabled group

BUILTIN\Administrators Group used for deny only

BUILTIN\Users Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\INTERACTIVE Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\This Organization Mandatory group, Enabled by default, Enabled group

LOCAL Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\NTLM Authentication Mandatory group, Enabled by default, Enabled group

Mandatory Label\Medium Mandatory Level Mandatory group, Enabled by default, Enabled group

Looks like I’m part of Adminstrators right?

Or am I? Look again at the Group used for deny only. I have no idea what that means but I suspect that’s what the problem is.

I also ran some code in an application to check for admin rights by checking for the Administrators group explicitly in code. While running through this I noticed that I wasn’t showing up as Administrators in this list either:

WindowsIdentity id = WindowsIdentity.GetCurrent();

string Out = "";

foreach(IdentityReference Group in id.Groups)

{

NTAccount Account = Group.Translate( typeof(NTAccount) ) as NTAccount;

Out += Account.ToString() + "\r\n";

}

MessageBox.Show(Out);

Which results in:

RASVISTA\None

Everyone

RASVISTA\Debugger Users

BUILTIN\Users

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

NT AUTHORITY\This Organization

LOCAL

NT AUTHORITY\NTLM Authentication

Something missing here???? No Administrators group account.

This would explain why SQL Server is having a hell of a time trying to authenticate me as an Administrator.

So now I’m really confused as to WTF is going on. In Vista I have:

UAC off
Account type set to Administrator
My User Account is part of the Administrators group in the old User Manager
Run all administrators in Admin Approval Mode group policy option is disabled

What else do I need here to get my admin acount status back properly?

If you find this content useful make a donation

Posted in Vista

Feedback for this Weblog Entry

# re: Am I an Administrator on Vista? No really am I?
by Rick Strahl January 15, 2007 @ 6:15 pm

Ok, I ended up getting this to work after having rebooted a few times. Apparently these settings require not just logging off but physically rebooting the machine.

I think the key setting is the Run all Administrators in Admin Approval Mode off

# re: Am I an Administrator on Vista? No really am I?
by Kevin Dente January 15, 2007 @ 7:04 pm

I noticed similar SQL server connection problems with I first started running Vista (with UAC). My assumption was that the split token didn't include the Administrator account group membership (unless you elevate). I ended up having to disable UAC for other reasons, so I never did get back to figuring that out in the end.

I am surprised changing UAC required a reboot, though. I would think it would be enough to logout and log back in, getting a new, unsplit, token.

# re: Am I an Administrator on Vista? No really am I?
by John Walker January 15, 2007 @ 9:22 pm

When I start Management Studio, I right-click and choose "Run as Administrator". That seems to do the trick. My understanding based on a Channel9 video I watched is that everything runs as non-Admin, unless you elevate it via UAC. Apparently Visual Studio and SQL Server are able to run as non-Admin (albeit with problems), so you won't get the UAC prompt. You have to manually select to run it as Admin. I've modified my shortcuts to run as Admin so I no longer have to remember to do this.

# re: Am I an Administrator on Vista? No really am I?
by CMon January 15, 2007 @ 9:40 pm

Is MS paying you to run Vista?

Then dump it!

# re: Am I an Administrator on Vista? No really am I?
by Steve from Pleasant Hill January 15, 2007 @ 10:37 pm

Rick, dude. So much Vista pain. Why?

As an experimental platform, yes, I can see the need based on your job. But for every day reliability?

# re: Am I an Administrator on Vista? No really am I?
by Rick Strahl January 15, 2007 @ 11:53 pm

Well, I managed to get my Administrative account status back, but SQL Server remains bonked. The problem is that the Administrators group is not there nor can it be added. At this point the only way I can administer SQL is by using the sa account.

I can't add Administrators. SQL complains that the group doesn't exist. My (now) Administrative account also doesn't have full rights to the Sql Server - I can't see all the tables although I can't make sense of why I can see some of the tables including the system tables... this is odd as hell.

Guess I'll have to reinstall Sql Server.

# re: Am I an Administrator on Vista? No really am I?
by Rick Strahl January 15, 2007 @ 11:56 pm

It's easy to say just dump Vista Steve. I have software that I need to make sure can run under Vista. And while this is certainly frustrating, I'm not 100% I wasn't myself at fault at screwing up at least this Sql Installation once I started having failures.

Believe it or not, other than these kind of 'discovery' episodes, I am more productive on Vista...

Alot of the shit I've been ranting about often turns out to also apply to XP (like the hardware issue with the Laser Mouse) which at first seemed to be a pure Vista issue.

# re: Am I an Administrator on Vista? No really am I?
by Kevin Wright January 16, 2007 @ 1:46 am

Rick, are you running the SQL Sever SP2 CTP, a large part of which I believe was to introduce Vista compatability?

Kevin

# re: Am I an Administrator on Vista? No really am I?
by Carl Warner January 16, 2007 @ 7:32 pm

For reference (don't know if there's anything to glean from this since I am not heavily into Vista yet):

How to access the true Administrator account in Windows Vista
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001970&pageNumber=2

# re: Am I an Administrator on Vista? No really am I?
by Steve from Pleasant Hill January 16, 2007 @ 10:02 pm

I wasn't saying to dump it, it just seems like too many of it's features are, well, experimental.

For R&D, parallel testing vs. Win2003 Server or something, as the product matures, I say 'of course'. Just not sure about relying on it for production level stuff at this stage.

# re: Am I an Administrator on Vista? No really am I?
by Peter Bromberg January 17, 2007 @ 1:52 pm

Jeesh! Why the comments like "Dump Vista"? Vista is great. It just has "new stuff" that we all need to get to understand. Longhorn Server is just around the corner guys. That's, essentially, "Windows Vista".

# re: Am I an Administrator on Vista? No really am I?
by Rick Strahl January 17, 2007 @ 2:04 pm

I agree...

Sometimes it's not easy to see the good stuff when what gets posted is mostly about problems. I post problems here primarily because if I run into it others most likely will too and this might help out...

But as I mentioned to Steve earlier - I'm happy with Vista overall. Yes there are a few things that are odd and different and not necessarily improved, but for the most part Vista makes me more productive in my day and that's what counts.

# re: Am I an Administrator on Vista? No really am I?
by Pieter Siegers January 17, 2007 @ 5:24 pm

Hi Rick, a good article that I'm reading now is at MSDN jan2007 by Chris Corio:
http://msdn.microsoft.com/msdnmag/issues/07/01/UAC/default.aspx
I'm also fighting with the new security measures in Vista but it's a matter of understanding why these new features actually made it into Vista, that makes for less unpleasant surprises, and one gets to know how to handle best these new situations.

# re: Am I an Administrator on Vista? No really am I?
by Brian Abbott January 18, 2007 @ 12:43 pm

Hi Rick

> but for the most part Vista makes me more productive in my day and that's what counts.

Can you give your avid readers some examples. (Having played around with Vista, I can't think of any offhand)

;-)

# re: Am I an Administrator on Vista? No really am I?
by Rick Strahl January 18, 2007 @ 7:25 pm

Sure. None of these are major, but here are a few that come to mind:

1. The new Start Menu saves me tons of time launching applications. I've been using SlickRun for some time, but even so there's plenty of stuff on the the Start Menu that I launch by typing a few letters

2. Explorer's BreadCrumbs. This is probably the biggest timesaver. Anywhere in directory views you see the whole path and you can click on any part it of it to go there. Explorer also shows the 'next' path when you do click already highlighted.

3. TaskManager. Much easier to get to other running apps (although I admit I used a utility in XP that did more or less the same)

3. Performance. Vista just runs smoother for me than XP. Explorer doesn't lock out the CPU nearly as much as XP does.

Most of these are small things but they are time savers and it adds up quickly, but they are OS features (rather than tools or add-ins)... I'm sure there's more but the line blurs since it's been a while since I've run XP <s>. I do have oneXP machine here I use for media in the living room and it's funny how I try to click on the address bar <s>...

# re: Am I an Administrator on Vista? No really am I?
by Ryan Ternier January 31, 2007 @ 6:08 pm

I have->Had the similar issue. However, mine was with Visual Studio. It wouldn't let me do anything with IIS.

AFter spending 10 hours (yesterday) trying to fix it, I decided it was better for me to spend 3 hours re-doing my computer.

Now everything works fine.

# re: Am I an Administrator on Vista? No really am I?
by Rick Strahl January 31, 2007 @ 6:15 pm

Well, given that you can accomplish the same thing in Vista by turning off User Access Control and Admin Approval mode there doesn't seem much of a point in going back IMHO...

You're going to face Vista sooner or later... it's just a matter of time how long you want to delay. The alternative is to go off to another OS altogether - and I suspect Vista may drive quite a few people, especially consumers in that direction.

# re: Am I an Administrator on Vista? No really am I?
by Ryan Ternier January 31, 2007 @ 7:43 pm

Oh I didn't re-do my comp back to XP. I just formated-> Re-install vista.

One thing I'm greatful for is the fact MS built Vista Ultimate's install so it can be done in 30 minutes (yea, that's all it takes me).

Vista is a great OS, but I think a few things were rushed. I already know many of our customers and some of my contacts that dislike/hate the UAC protection. We're not letting our sales people use it until our CSR's have ran it for 2 months so they can support the sales team... leaves us developers free to make cool stuff! :D

# re: Am I an Administrator on Vista? No really am I?
by Anthony February 06, 2007 @ 10:34 am

quick question, i came across this blog trying to deal with my own UAC issues, how does one go about turning off admin approval mode? or is this something that's specific to visual studio? i've got my own piece of software that ran just fine under all the vista beta's but wont run correctly under the retail version unless i'm logged into the actual administrator account, not the "you're an admin in name only/dubugger user" account. While the easiest answer is just stay logged in as the admin, part of the reason i'm even using vista is to test drive it before my office adopts it and while i dont mind running in admin mode i'd rather the rest of the office be under their actual user accounts. Any help would be greatly appreciated.

# re: Am I an Administrator on Vista? No really am I?
by Anthony February 06, 2007 @ 11:12 am

nevermind, i got admin approval mode off and now everything is running smoothly again.

# re: Am I an Administrator on Vista? No really am I?
by Nick Nelson February 08, 2007 @ 8:45 am

I had a problem after installing Vista in that I seemed to be locked out of SQL Server and came across this little trick that solved my problems (unfortunately I can't remember where so I can't credit it).

1. Open up services from the Admin Tools and right click on the relevant SQL database service.
2. Select Properties and then the Log On tab.
3. Re-type the password and confirm. Click OK.
This worked for me but you could also try messing around with the Log On account if it doesn't work for you.

Now I've just got to get VS2005 working with my local IIS (it won't let me access any local websites via VS because it hasn't got access to the local IIS metabase). Love and kisses to Bill G.

Nick

# re: Am I an Administrator on Vista? No really am I?
by Nick Nelson February 08, 2007 @ 9:49 am

For anyone interested I solved my IIS metabase access problem using this MS knowledgebase article. It seems it's an IIS6/IIS7 (which ships with Vista) compatability question.

http://support.microsoft.com/kb/928574

Nick

PS. An extraneous instruction crept into the article, so ignore step 4 in Error Message 2 instructions.

# ASP.NET Forums - Vista + Visual Studio - The Web server does not appear to have the FrontPage server extensions installed
by Visual Studio 2005 April 16, 2007 @ 12:18 pm

# Vista + Visual Studio - The Web server does not appear to have the FrontPage server extensions installed - ASP.NET Forums
by ASP.NET Forums May 20, 2007 @ 6:00 am

re: Am I an Administrator on Vista? No really am I?
by Sayid January 27, 2008 @ 5:49 pm

a new problem with vista no access any FLV video in internet temperory Folder !!!

Microsoft Solution

1. OS Vista; IE 7

2. In Windows Explorer Folder Options, check "show hidden files and folders" and uncheck "hide protected operating system files".

3. Open IE, click Tools, Internet Options; on the General Tab, click Settings under "Browsing history", then click View Files. This gives you a list of Temporary Internet Files, but not "hidden" files. On the address bar, add "\Content.IE5", so that it now reads "C:\Users\[your name]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5". Some additonal sub-folders now appear under Temporary Internet Files.

4. On the left panel, right click on the Temporary Internet Files (TIF) folder, click Properties. (Note that the number of files and folders are far more than the files and folders that are listed in TIF and all of its sub-folders.) Write down the size of the TIF folder. If this size is close to the capacity set for TIF (which it probably is), delete some of the files if you want to follow along with the example below.

5. Go to YouTube or Googlevideo and view a somewhat lengthly video. (I would recommend video.google.com/videoplay?docid=4776181634656145640 or www.youtube.com/watch?v=AT-_2oAdN40, which is about 10-11meg.)

6. Refresh the TIF folder, noting NO new visible files.

7. Now, right click on Temporary Internet Files, click Properties, and note that the size of the TIF folder has gone up by about the size of the video file that was saved in the TIF folder, but the video file is NOT VISIBLE.

If you do the same thing using XP (as I did on another computer), the TIF folder will have an .flv file (in the case of Google) or a "File" (in case of YouTube).

So, the question remains, how can you access the saved video file on Vista???

(Further caveats: I am signed on as administrator, my security/privacy/advanced settings for IE 7 are the same on both my Vista and XP computers, and I am using the same version of Norton, with similar settings on both computers.)

BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT,BOULSHIT, and BOULSHIT.