I Cannot See the Spooled Reports Even though I Am an Administrator Equivalent User

Release Date: 08/16/2017

Q - I am an administrator equivalent user, I logon to the PSQL server to run Elliott V8.2. I do this because I was instructed to run Deferred Processing on the PSQL server since the performance is much faster.  My PSQL server is a Windows 2012 server.  Recently, we implemented NTFS security on the Elliott folder. Now I find that I cannot see the spooled reports created by other users when I logon to the PSQL server through a remote desktop.  But I can see those reports on my workstation.  I investigated this further by bringing up Windows Explorer on my workstation. When I browse to a sub folder under the Reports folder, I can see various spooled report files created by other users.  See sample screen below:


But if I logon to the PSQL server console through a Remote Desktop, and use Windows Explorer to browse to the same location, the folder is empty. See sample screen below:


Since this problem happens with Windows Explorer as well, I understand the problem is beyond Elliott.  But I can't figure out why Windows treats the security differently while I am logged in as the same domain user.

A - The nature of this problem is caused by UAC (User Account Control), which a lot of people hate. UAC was first introduced in Microsoft Windows Vista.  The UAC feature was primarily responsible for the failure of that OS. In Windows 7, Microsoft drastically reduced the annoyance of UAC and made the OS more acceptable to the majority of the user base. However, the UAC still shows up as a problem from time to time, and this is an example.

To understand the nature of this problem, you need to know that when you perform an operation on your computer, UAC assumes that you don't have Administrator rights. If the operation requires Administrator rights, then it will prompt you to elevate your rights to an Administrator level.  UAC was designed to prevent a virus from affecting an Admin user and havinng a devastating effect. With UAC, when virus attempts to perform an operation, it alerts the users. 

However, in Windows Explorer, when the UAC is enabled, you are not going to see those files that require the Admin rights to view due to UAC filtering the Administrator privileges. So, you might ask, why does this not apply when you run Elliott from a workstation?  The answer is UAC is only applicable for accessing the local system, which is the case when you logon to the PSQL server console.  UAC does not apply to the remote file system when your workstation is accessing Elliott from a mapped drive in the shared folder on the server.  From our observation, this problem seems to be limited to the following conditions:
  1. When using a remote desktop with the PSQL server; and
  2. When you logon as an Administrator equivalent user, instead of an actual Administrator; and
  3. When running on Windows Server 2012/ (This problem is less severe with Windows 2008 because "access based enumeration" is not enabled by default.  We have not verified whether or not the same problem is applicable to Windows Server 2016); and
  4. After Implementing NTFS security on Elliott folder; and
  5. UAC is enabled.
Therefore, we have several potential solutions to resolve this UAC problem:
  1. Disable UAC on the PSQL server; or
  2. Logon to the PSQL server as Administrator instead of Admin equivalent user; or
  3. Have a separate Terminal Server from your PSQL server; or
  4. Create "Elliott_Admin" user group and grant full rights to the Elliott folder (preferred solution).

Disable UAC on PSQL server

To disable UAC on the PSQL server.  Follow these steps:
  1. On the server hosting the shared folder, open group policy editor. Run “gpedit.msc”
  2. Navigate to “Computer Configuration” -> Windows Settings -> Security Settings -> Local Policies -> “Security Options”
  3. Set “User Account Control: Run all administrators in Admin Approval Mode” to “Disabled”
  4. Reboot the server
See the sample screen below:

Some of you might be concerned with disabling the UAC feature.  Here is a Knowledge Base article in which Microsoft outlines the conditions under which you can disable UAC on your server:
    https://support.microsoft.com/en-us/help/2526083/disabling-user-account-control-uac-on-windows-server
The key is you don't want disable UAC protection on your normal desktop session on the server where you will use high-risk applications, like Browser, Emails...etc.

Logon to PSQL Server as Administrator Instead of Admin Equivalent User

Oddly, we noticed that this problem is applicable to Admin equivalent users, but not applicable when you logon as an actual "Administrator."  We don't know how to explain that at this moment.

Have a Separate Terminal Server from your PSQL Server

If you are running a very small network where your PSQL is your only server, then this solution is not applicable.  If you do have more servers available, we suggest that you run Remote Desktop sessions on a server other than your PSQL server.  This will resolve the UAC problem mentioned in this article because UAC is only applicable to local file systems.

Create "Elliott_Admin" User Group and Grant Full Rights to Elliott Folder

Typically, the users who have NTFS rights to the Elliott folder include the following:
  • Everyone
  • SYSTEM
  • Administrator 
  • Administrators
The Everyone group is given minimum rights to the Elliott folder.  The SYSTEM group is given full rights where the PSQL engine will assume this identity to access the database under the Elliott folder.  The Administrator or Administrators will give Admin users the full right to access the Elliott folder.  But when UAC is enabled, it actively filters out the Administrator and Administrators right to the Elliott folder.  The end result is you will only have Everyone's minimum right to Elliott folder. Therefore, you won't see other users' spooled reports.  Again, this is only a problem when you use a remote desktop with the PSQL server because UAC only applies to local file systems.

To solve this problem, you can consider adding a user group "Elliott_Admin" and grant full rights to the Elliott folder. Make yourself and other Elliott Admin users members of this group.  See sample screen below:


This concept of using "Elliott_Admins" user group is somewhat difficult to understand because UAC will filter Administrator rights, but it will not filter the non-Admin (Elliott_Admins) user group's right.  If you think you are Admin equivalent -- and, therefore, have full rights -- then you are in for a surprise with the strange and annoying UAC behavior.

EMK

Feedback and Knowledge Base