Local Access Denied to Domain Admin

Posted on 2007-10-09
Last Modified: 2009-12-16
I ran a fresh Windows XP SP2 installation on a workstation.  During the install, I create a local account with an accompanying profile named MyLocalAccount.  I placed MyLocalAccount in the local Administrators group.  I then added the workstation to the domain.  I logged in to the workstation using my domain admin account, MyDomainAdminAccount.  I then attempted to open the profile associated with MyLocalAccount and I get an "Access is denied" message.  I don't get it.  I'm in the Domain Admins group, and I double-checked that the Domain Admins is in the local Administrators account.  Obviously, I can access the contents of the profile by logging in with MyLocalAccount, but I want to understand why MyDomainAdminAccount can't access the profile.  
Question by:jdana
    LVL 9

    Expert Comment

    Have you checked the ACL on the user's profile folder?
    Unlikely but it spring to mind so I'll throw it out there -- is the profile folder encrypted?

    How are trying to access the profile folder ... using what interface?

    Author Comment

    What does ACL stand for?  I'm simply using Windows Explorer.
    I poked around a little after I posted the question.  Turns out that the local Administrators group had no permissions on the MyLocalAccount profile folder.  This seems bizarre.  Shouldn't the local Administrators group have full permissions to all profile folders by default?  
    LVL 9

    Accepted Solution

    ACL = Access Control List ... what you referred to as 'permissions' (the Security tab lists the ACL).

    ... and yes, according to my installs, the Administrators group should have Full Control to all profile folders by default.  there's a policy, however, that controls an aspect of this related to roaming profiles so it may not be relevant -

    If you enable this setting, the administrator group is also given full control to the user's profile folder.

    If you disable or do not configure it, only the user is given full control of their user profile, and the administrators group has no file system access to this folder.

    ... this too is enabled by default but may have been altered in your build.
    LVL 2

    Expert Comment

    if you have admin rights on pc then you can take ownership of whatever you dont have rights to then give yourself rights to it....

    Expert Comment

    We are having the same problem on our new file server.  Can someone please tell me where this policy setting is?

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now