File Share and UAC in server 2012 R2

To setup file server on Windows Server 2012 R2 is quite easy there is many good guides about what kind of share and NTFS permission should be given.

Purpose of this post is to share my finding about UAC and file sharing. As everyone knows Microsoft introduce UAC with Windows Vista and Windows Server 2008, and we all have mixed feeling about it. Myself, when I setup server or Windows PC one of first thing to do is to disable is UAC. But now I start more understand it and I tend to leave it on.

The problem with UAC on Server 2012 R2 is when you setup File Share and add Local Administrator group to NTFS permissions with full access. When open Windows Explorer it open as normal user which means when trying accessing share folders we can see UAC warring with “no permission to access this folder” and option to click Continue.


UAC Warring

Problem is when click Continue, Windows will add current user to ACL with full permission. Which not good when there is many administrators to manage file servers as soon all file share will have many unnecessary permissions.

To fix that we need to open Windows  Explorer in elevation mode which required some modification. First we need to modify registry key located in HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}.
We need to take ownership of this Key to be able modify Registry String inside, after that rename REG_SZ from RunAs to _RunAs. It will be only fear to say thank you to Sami Laiho who point this change to registry key in his PluralSight training which I really recommend to watch.


Registry String to rename

Now we will be able to run Windows Explorer in elevation mode. Start PowerShell by right-click the icon on taskbar and choose Run As Administrator, when open run command Start DriveLetter example Start C:\. Now when accessing file share I will not be prompt by UAC and my name will not be added to folder permission. Or right click explorer.exe under C:\Windows and choose Send to > Desktop (Create Shortcut). From Desktop right-click new shortcut and choose Run As Administrator


We can modify same Registry Key on Desktop PC after that is possible to open Windows Explorer with Run as different User specify file server administrator account name and password (which is Domain Admin in many cases). When open, we can use UNC File Server to access users or department share without UAC prompt and auto adding name to folder permission. 



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.