(Why) can a Standard user access an Administrator's data?


Fortitude

Member
VIP
Local time
7:00 AM
Posts
66
OS
Windows 11 Pro 22H2 OS Build 22621.675
I recently upgraded to Windows 11, but my query may not be related to this fact and the matter may have existed since the time that I was using Windows 10.
I have three accounts on my PC: Two of them are Windows Administrators. One of them is signed in with a Microsoft account and the other is a Local administrator. The third one is a Standard account and is the one that I use on a day to day basis. The Standard account is signed in with a Microsoft account. I notice that as a Standard user I can browse freely the User directories of the Microsoft signed-in Administrator, but I cannot access the Local administrator's directories unless I use Administrator account credentials.

My question is why do I need Administrator privileges to view one, but not the other Administrator's directories?
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
I don't think there is any logic behind !

Some folders are not locked at all, some are "half" locked, others fully.
Let's take System Apps and Windows Apps.
If you click on the C:\Windows\System Apps Folder, you have full access (as an Administrator).
If you click on C:\Progam Files\WindowsApps (hidden folder), you are first "half" blocked, but there is a message to click further to go on. However when you do that, the System tells you that you cannot access the folder (except by changing the owner of the folder).
And then there is a third category of folders (didn't find an example now edit: found an example: C:\Windows\System32\drivers\DriverData) where you are at first in the same situation as above ("half" blocked), but when you click further, a scan is running and then you are allowed to have full access.

???
 

My Computer

System One

  • OS
    WIN 11 / WIN 10 dual boot
    Computer type
    PC/Desktop
    Manufacturer/Model
    No clue (x64 based) from 2016
    CPU
    Intel Pentium G 4400 (Skylake)
    Motherboard
    MS 7971, Bios: American Megatrend C.E0 (2018)
    Memory
    DDR4 12 GB
    Graphics Card(s)
    internal (Intel HD 510)
    Hard Drives
    2x Western Digital (no SSD)
I don't think there is any logic behind !

Some folders are not locked at all, some are "half" locked, others fully.
I would not mind an inconsistency as regards Windows programs, but I expected that there would be a barrier between a Standard user and an Administrator where their data (documents etc.) are concerned. In my case of course it's no issue because I'm the sole user on this PC, but I imagine it could be a real problem in other circumstances.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
The local admin account doesn't have a Microsoft account associated with it. The other two have and possibly the same account?
 

My Computers

System One System Two

  • OS
    Win 11 Home & 🐥.
    Computer type
    Laptop
    Manufacturer/Model
    ACER Nitro AN16-41
    CPU
    AMD Ryzen™ 7 7735HS Processor 3.2Ghz
    Motherboard
    RB Sierra_PEH (FP7)
    Memory
    32 GB DDR5 4800MHz
    Graphics Card(s)
    NVIDIA GeForce RTX 4060 8GB GDDR6
    Monitor(s) Displays
    16" QHD+ 165Hz 16:10 IPS Technology
    Screen Resolution
    1920 X 1200
    Hard Drives
    Samsung 990 PRO 2TB
    PSU
    330 Watts
    Mouse
    Lenovo Bluetooth.
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    ACER NITRO
    CPU
    AMD Ryzen 7 5800H / 3.2 GHz
    Motherboard
    CZ Scala_CAS (FP6)
    Memory
    32 GB DDR4 SDRAM 3200 MHz
    Graphics card(s)
    NVIDIA GeForce RTX 3060 6 GB GDDR6 SDRAM
    Sound Card
    Realtek Audio. NVIDIA High Definition Audio
    Monitor(s) Displays
    15.6" LED backlight 1920 x 1080 (Full HD) 144 Hz
    Screen Resolution
    1920 x 1080 (Full HD)
    Hard Drives
    Samsung 970 Evo Plus 2TB NVMe M.2
    PSU
    180 Watt, 19.5 V
    Mouse
    Lenovo Bluetooth
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
Now I confused myself! :D
I had three user accounts, that is one Administrator, one Local Administrator and one Standard account. Their directories had a username that was different than the respective account name. I messed up and now what I had known to be a Local Administrator doesn't have the name that it had earlier, but it has the username. In other words (using fictitious data), I had account Alec (administrator), Ben (local admin) and Charlie (standard user). Their directories were named apple, berry, cherry. The Windows logon screen showed Alec, Ben and Charlie as options for me to logon to Windows. Now after my messing around the logon screen shows Alec, berry and Charlie and I cannot change "berry" to Ben on the logon screen :crys:

EDIT: Panic over. I found a tutorial on Ten Forums and solved the account name issue.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
The local admin account doesn't have a Microsoft account associated with it. The other two have and possibly the same account?
Restating in order to clarify, maybe:
I have three accounts on my PC: One is an Administrator. The second one is also an Administrator and is designated a Local Account. The third one is a Standard account which I use for my daily work on the computer.

I have a Microsoft account for each of these accounts, but I'm logged with the Microsoft account of the Administrator only.

I notice that as a Standard user I can freely see the contents of the User directories of the Administrator. However, I cannot access likewise the Local administrator's directories unless I use an Administrator password.

My question is why do I need Administrator privileges to view one, but not the other Administrator's directories?
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
I have a Microsoft account for each of these accounts, but I'm logged with the Microsoft account of the Administrator only.
I'm confused now. A Local account won't have a Microsoft account. You just have a name and PIN/password.
 

My Computers

System One System Two

  • OS
    Win 11 Home & 🐥.
    Computer type
    Laptop
    Manufacturer/Model
    ACER Nitro AN16-41
    CPU
    AMD Ryzen™ 7 7735HS Processor 3.2Ghz
    Motherboard
    RB Sierra_PEH (FP7)
    Memory
    32 GB DDR5 4800MHz
    Graphics Card(s)
    NVIDIA GeForce RTX 4060 8GB GDDR6
    Monitor(s) Displays
    16" QHD+ 165Hz 16:10 IPS Technology
    Screen Resolution
    1920 X 1200
    Hard Drives
    Samsung 990 PRO 2TB
    PSU
    330 Watts
    Mouse
    Lenovo Bluetooth.
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    ACER NITRO
    CPU
    AMD Ryzen 7 5800H / 3.2 GHz
    Motherboard
    CZ Scala_CAS (FP6)
    Memory
    32 GB DDR4 SDRAM 3200 MHz
    Graphics card(s)
    NVIDIA GeForce RTX 3060 6 GB GDDR6 SDRAM
    Sound Card
    Realtek Audio. NVIDIA High Definition Audio
    Monitor(s) Displays
    15.6" LED backlight 1920 x 1080 (Full HD) 144 Hz
    Screen Resolution
    1920 x 1080 (Full HD)
    Hard Drives
    Samsung 970 Evo Plus 2TB NVMe M.2
    PSU
    180 Watt, 19.5 V
    Mouse
    Lenovo Bluetooth
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
I'm confused now. A Local account won't have a Microsoft account. You just have a name and PIN/password.
You are right. I see that now, even if my setup is unnecessarily complicated. Anyway, my Standard user cannot see the directories of the Local administrator account without an administrator password which is what I would expect. Why though does the Standard user see the directories of the other account, the Administrator, without having to enter an administrator password?

Do the following images help shed some light? The first is the Administrator account whose directories I can see with the third one which is supposed to be the Standard user.
Administrator.png
Local Admin.png
Local-standard.png
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
Forget the local account. Is the admin Microsoft account the same as the standard Microsoft account? Same email addy? Have you tried opening a folder from the standard account on the admin account? Most probably you won't have permission unless you allow and have to input the admin's account password. Once you do that, though, the permission stays.
 

My Computers

System One System Two

  • OS
    Win 11 Home & 🐥.
    Computer type
    Laptop
    Manufacturer/Model
    ACER Nitro AN16-41
    CPU
    AMD Ryzen™ 7 7735HS Processor 3.2Ghz
    Motherboard
    RB Sierra_PEH (FP7)
    Memory
    32 GB DDR5 4800MHz
    Graphics Card(s)
    NVIDIA GeForce RTX 4060 8GB GDDR6
    Monitor(s) Displays
    16" QHD+ 165Hz 16:10 IPS Technology
    Screen Resolution
    1920 X 1200
    Hard Drives
    Samsung 990 PRO 2TB
    PSU
    330 Watts
    Mouse
    Lenovo Bluetooth.
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    ACER NITRO
    CPU
    AMD Ryzen 7 5800H / 3.2 GHz
    Motherboard
    CZ Scala_CAS (FP6)
    Memory
    32 GB DDR4 SDRAM 3200 MHz
    Graphics card(s)
    NVIDIA GeForce RTX 3060 6 GB GDDR6 SDRAM
    Sound Card
    Realtek Audio. NVIDIA High Definition Audio
    Monitor(s) Displays
    15.6" LED backlight 1920 x 1080 (Full HD) 144 Hz
    Screen Resolution
    1920 x 1080 (Full HD)
    Hard Drives
    Samsung 970 Evo Plus 2TB NVMe M.2
    PSU
    180 Watt, 19.5 V
    Mouse
    Lenovo Bluetooth
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
Short answer: No that should not be happening

You are likely to have, during your setup and changes, authenticated. Its possible it is a bug, there are plenty of those being found..

Limited user accounts should not be able to change permissions/ownership (needed to enter other peoples user folder) on files that other user/administrators own.
 

My Computer

System One

  • OS
    PE
Forget the local account. Is the admin Microsoft account the same as the standard Microsoft account? Same email addy? Have you tried opening a folder from the standard account on the admin account? Most probably you won't have permission unless you allow and have to input the admin's account password. Once you do that, though, the permission stays.
Thanks for your reply.
The Microsoft account is different than the standard Microsoft account. They have different email addresses and user directories.
Opening the Admin account's folders from my Standard Microsoft account is what I noticed and queried in this thread as I thought it shouldn't be possible.

By comparison, in order to open the Local Admin's folders from the Standard Microsoft account requires a password. In this case I have to enter either the Local Admin's password or the Microsoft Admin's password.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
Limited user accounts should not be able to change permissions/ownership (needed to enter other peoples user folder) on files that other user/administrators own.
That's my impression too.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
I have three accounts on my PC: One is an Administrator. The second one is also an Administrator and is designated a Local Account. …
I have a Microsoft account for each of these accounts

A local account does not have an MSAccount - it's either one thing or the other thing but not both. Please would you clarify nature of the accounts.

Sorry, I can now see that I missed the relevant posts on first reading the thread.

Denis
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Opening the Admin account's folders from my Standard Microsoft account is what I noticed

I suggest you right-click on the main
C:\Users\-----
folder for the 'Admin account's folders',
Properties,
Security,
Advanced
so you can check what access permissions have been given for the folder & its sub-folders.

Isn't it possible that you once gave access permission to your Standard user account but have since forgotten about it?
- Once given, access permissions for such folders remains in force until they are deliberately altered again [using the Advanced dialog above].

All the best,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
I suggest you right-click on the main
C:\Users\-----
folder for the 'Admin account's folders',
Properties,
Security,
Advanced
so you can check what access permissions have been given for the folder & its sub-folders.

Isn't it possible that you once gave access permission to your Standard user account but have since forgotten about it?
- Once given, access permissions for such folders remains in force until they are deliberately altered again [using the Advanced dialog above].

All the best,
Denis
That is what has happened I believe.
From a standard (guest) account I had access to both admin accounts, either local or Microsoft. Once you give permissions then that's it unless you play around with permissions again. All you need are the passwords/PIN.




Screenshot_2.png

Screenshot_2.png

Local account,
Screenshot_4.png
 

My Computers

System One System Two

  • OS
    Win 11 Home & 🐥.
    Computer type
    Laptop
    Manufacturer/Model
    ACER Nitro AN16-41
    CPU
    AMD Ryzen™ 7 7735HS Processor 3.2Ghz
    Motherboard
    RB Sierra_PEH (FP7)
    Memory
    32 GB DDR5 4800MHz
    Graphics Card(s)
    NVIDIA GeForce RTX 4060 8GB GDDR6
    Monitor(s) Displays
    16" QHD+ 165Hz 16:10 IPS Technology
    Screen Resolution
    1920 X 1200
    Hard Drives
    Samsung 990 PRO 2TB
    PSU
    330 Watts
    Mouse
    Lenovo Bluetooth.
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    ACER NITRO
    CPU
    AMD Ryzen 7 5800H / 3.2 GHz
    Motherboard
    CZ Scala_CAS (FP6)
    Memory
    32 GB DDR4 SDRAM 3200 MHz
    Graphics card(s)
    NVIDIA GeForce RTX 3060 6 GB GDDR6 SDRAM
    Sound Card
    Realtek Audio. NVIDIA High Definition Audio
    Monitor(s) Displays
    15.6" LED backlight 1920 x 1080 (Full HD) 144 Hz
    Screen Resolution
    1920 x 1080 (Full HD)
    Hard Drives
    Samsung 970 Evo Plus 2TB NVMe M.2
    PSU
    180 Watt, 19.5 V
    Mouse
    Lenovo Bluetooth
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
I couldn't find the UAC Edit Security dialogs shown in Fabler2's post. However, the answer must be as described by Try3 and Fabler2. Using the Security tab settings I removed the Standard account from access to the folder. There were a number of popup warning messages that I dismissed, but in the end the Standard account doesn't access the particular Administrator's folders.

That was a real mystery to me and I'm very impressed that an answer was finally found. Wholehearted thanks for your assistance.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2 OS Build 22621.675
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 5482 2-in-1
    CPU
    Intel Core i7-8565U
    Memory
    8GB
    Monitor(s) Displays
    BenQ
    Internet Speed
    1Gbps/300Mbps (nominal)
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Windows Defender, Defender UI, Voodooshield
I couldn't find the UAC Edit Security dialogs shown in Fabler2's post

They were just examples.

You can generate your own examples by trying to run anything as Admin.
- The name of the app being called will be shown where the earlier examples showed Edit Security
- The dialogs look different when being called from an Admin account [Yes, No buttons] or a Standard account [Admin password/PIN demanded first]
It's virtually the same as in Windows 10 - see my sample CredentialUI, ConsentUI diagrams - TenForums
- in which I was calling the cmd prompt each time
- #3 ConsentUI - Yes greyed out [Admin account] indicates a fault condition


MS uses the term CredentialUI to refer to the dialog shown to a standard user account when an elevated process is called, and
MS uses the term ConsentUI to refer to the dialog shown to an Admin user account when an elevated process is called, and
MS uses the term ElevationUI to refer to either of them.
Most people just call them "Admin prompts".


All the best,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Back
Top Bottom