Databases and the Windows Vista® “User-Account-Control (UAC)™” Feature

“It's not a bug... it's a feature!”   (In this case, that's literally true!)

The Windows Vista® operating system, which began shipping on nearly all consumer desktop computers in mid-2007, introduced a new “feature” called User Account Control (UAC).™

You can read more about it at these links:

• http://go.microsoft.com/fwlink/?linkid=81232
• http://en.wikipedia.org/wiki/User_Account_Control
• (Microsoft.com): User Account Control step-by-step

To quote from the first Microsoft article:

In other words:   in a misguided attempt to let you run all those programs that you used to run, without worrying your pretty-little-head about exactly what “an Administrator” is or how you might need to change the security on folders if you wish to share them with others, Vista simply recognizes when your programs are trying to write to a common file that you don't have proper read/write access to (such as, say, a Paradox® or even a Microsoft Access® database?), and without telling you or your program what it's doing, Vista:

• Makes a copy of that file in a private location of Vista's own choosing, different for and private to each user ...
• Redirects the operations that you and your programs thought were making to the shared file ... to the private copy, instead!

“What were they thinking?” ...

How does this feature affect you if it's turned-on?

What seems to happen is that each user sees only their changes to the database, and no one else's changes are visible at all. This happens because every one of you is, in fact, updating your own private copy!

When designing this “feature,” Microsoft also failed to consider that the shared files could be large. When making the copy, a computer may freeze for long periods of time. If many users are (unknowingly...) doing this at the same time, it's even worse.

What do you need to do?

The bottom line is... if you're using shared database files of any sort, you have to turn this feature off. This is done in the User Accounts control panel as described in the Step-by-Step article above.

You must also be sure that security-permissions are appropriately set for all of the shared directories which contain database files:   all users must be able to read, write, and create and delete files in those directories, as well as the directory used for NET FILE DIR (PDOXUSRS.NET).

(Incidentally, you may find that if you have set the security properly for the shared directories in advance, UAC's file-copying behavior is never actually triggered.)

It is very simple to change the permissions for files and directories. Within the Windows® desktop (or Windows Explorer), when you right-mouse-click on any directory (“folder”...), several choices will be displayed, one of which will be (by various names...) called “Security and Permissions.” You may initially be presented with a simplified version of this dialog (designed, for some odd reason, to resemble MS-DOS®) but you can see the “advanced” (i.e. real...) version of this dialog. This will be the one which lets you set the permissions for, among others, the owner of the directory, for administrators, and for Everyone. You must grant all-access to this directory to “Everyone.” And you must apply those permissions to all of the files within that directory, as well.

(If you find that these choices are grayed-out, it means that you don't have permission to change those permissions! Usually this sort of thing is done by an Administrator, who will by definition have the necessary permission.)

A last word on file security and permissions ...

It is a very good thing that Windows Vista is finally beginning to take its own security capabilities seriously. Yes, the UAC feature, as presently implemented, backfires in situations like this one. But nonetheless, the essential notion of setting up appropriate file-security enforcement throughout your network (and on every computer attached to it) is a very important one.

Microsoft has a very well thought out network-administration architecture, and hosts many hundreds of pages of excellent documentation about system administration at various points within their web site, http://www.microsoft.com. You need to read this material! (Skip the fluffy consumer-oriented stuff and check out the topics that are addressed to system administrators.)

For some peculiar reason, Microsoft omits many of its important system-management tools from its “Home Edition” products. It's well worth the few dollars extra that the more-advanced and therefore more-complete Editions may cost, just to get your hands on those important tools and documents.

Even if your network is very small, indeed even if you have only one computer, the security features of the new releases of Windows are very important ... and, for the most part, easy to understand. In fact, intuitively speaking it all comes down to the so-called Principle of Least Privilege:

1. Segment your users, and the roles that they play at various times. Give each user-account the least privileges needed to do their assigned task(s). Reserve the Administrator account only for the system maintenance activities which truly require it, and use it only when you're actually performing those activities. (Log on, play Superman®, then log off and return to your regular identity.)
2. Grant access to files and other resources based on the “need to do.” There are several different types of access (such as read, write, execute, rename, create and delete), which can be granted selectively. Give users and groups of users the access that they require, but no more. (For example, ordinary users might need to use Paradox®, but they have no business being able to modify the actual program-files which constitute your copy of the Paradox application.)
3. Remember that when you limit yourself, you protect yourself. The computer, after all, is just a machine, but it's a master at doing exactly what it has been told to do, each and every time. If you establish appropriate, voluntary limits that match “what you need to do and no more,” the computer will faithfully and quite-effectively enforce those rules ... whether the request is coming from you with your knowledge and consent, or without it. Rogue programs (“viruses”) are almost never able to exceed the access-privileges of the user who is (unintentionally...) running them.

© Copyright 1996-2008 Sundial Services. All rights reserved. | Terms of Use; Copyright; Trademarks | Privacy Policy | Website Credits | Site last updated:   June 10, 2008.