I came across what I deemed a strange behavior while trying to automate a
file copy on Windows 7. Perhaps someone could shed some light.
Environment: Windows 2008 domain with Windows 7 clients.
Scenario and facts: Goal is to copy/replace a single file in the Default
profile. Because of newly implemented security configuration on the
Default profile folder in Win 7 even the local admin is denied
permission to override anything under that folder; not unless the copy
operation is being executed under the elevated admin security token or
(from my research) under the local SYSTEM account’s security context.
This behavior is true when the copy operation is executed locally using
either the UNC path or standard path.
However the copy/override operation succeeds when it originates from a
remote Windows 7 machine via UNC path (ex:
\TargetWin7C$UsersDefault...TargetFolder) and this copy operation
is executed using the Domain Admin account under standard, non-elevated
token (note: Domain Admin account is a Local Admin on the target PC).
All of the above is true when using any CLI or programmatical approach – ex: xCopy, VBS FileSystemObject.copyFile method.
Question: What is the difference between executing the operation locally
and doing so remotely in this case? It seems that when doing it over
the network the session is treated as being with UAC “HIGHEST Privileges”.
Note: THis is not a question about the missing "Copy To" button in the Profiles of Windows 7. The Default Profile is used as example - I'm only interested in the security aspect of the above.
Software/Hardware used: Windows 7, Windows 2008 Domain