• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1268
  • Last Modified:

Local Access Denied to Domain Admin

I ran a fresh Windows XP SP2 installation on a workstation.  During the install, I create a local account with an accompanying profile named MyLocalAccount.  I placed MyLocalAccount in the local Administrators group.  I then added the workstation to the domain.  I logged in to the workstation using my domain admin account, MyDomainAdminAccount.  I then attempted to open the profile associated with MyLocalAccount and I get an "Access is denied" message.  I don't get it.  I'm in the Domain Admins group, and I double-checked that the Domain Admins is in the local Administrators account.  Obviously, I can access the contents of the profile by logging in with MyLocalAccount, but I want to understand why MyDomainAdminAccount can't access the profile.  
1 Solution
Have you checked the ACL on the user's profile folder?
Unlikely but it spring to mind so I'll throw it out there -- is the profile folder encrypted?

How are trying to access the profile folder ... using what interface?
jdanaAuthor Commented:
What does ACL stand for?  I'm simply using Windows Explorer.
I poked around a little after I posted the question.  Turns out that the local Administrators group had no permissions on the MyLocalAccount profile folder.  This seems bizarre.  Shouldn't the local Administrators group have full permissions to all profile folders by default?  
ACL = Access Control List ... what you referred to as 'permissions' (the Security tab lists the ACL).

... and yes, according to my installs, the Administrators group should have Full Control to all profile folders by default.  there's a policy, however, that controls an aspect of this related to roaming profiles so it may not be relevant -

If you enable this setting, the administrator group is also given full control to the user's profile folder.

If you disable or do not configure it, only the user is given full control of their user profile, and the administrators group has no file system access to this folder.

... this too is enabled by default but may have been altered in your build.
if you have admin rights on pc then you can take ownership of whatever you dont have rights to then give yourself rights to it....
We are having the same problem on our new file server.  Can someone please tell me where this policy setting is?

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now