Solved

Windows 2008 E drive access

Posted on 2009-05-15
7
558 Views
Last Modified: 2012-05-07
Setup a new partition (E) and Users security group was a group that had full access. We allow users to remote desktop into the server to run a couple of apps. The Administrators security group on the domain has full access as well. I decided to take off the Users security group access since I don't want just anyone getting access to that drive. Not sure what that group is all about anyways. If I look at any domain account I don't see that they are part of the group, but if I look at the Users security group and look at Members I see all of the domain accounts. Anyway, I take off the Users security group and can no longer access the drive. I am an Administrator on the domain. Security says I have full access. I add the Domain Admins security group to the Security tab. Give it full access. Still nothing. I add myself with full access. I now can access the drive. What gives? It's like it doesn't recognize security groups except for the Users security group.
0
Comment
Question by:judsoncollege
  • 3
  • 2
7 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24398267

You are seeing the product of UAC on a Server 2008 machine. All users by default are running under their 'Standard' user token (this includes all Administrators). If these users have any administrative privileges, they cannot use them in this mode; the user must elevate ('OK' a UAC prompt) in order to use their Admin/Domain Admin privileges.

With only Administrators on the E: drive's NTFS properties, you are unable to access this because you do not have the appropriate Admin privileges granted in your standard token. Without elevating, your account is operating as a standard account.

The workaround is to use another group - say 'IT Users' - and grant that group the same privileges as the Administrators group. Make all Admins a member of this group too, and they can then access drive E: under their standard user token.

-Matt
0
 

Author Comment

by:judsoncollege
ID: 24403528
Do you recommend turning UAC off? Since users are remote desktoping in I don't want them to have full access to the E drive, but by default that is the permissions that the Users security group has. I have never dealt with this before so I am not sure how to limit access to the users.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24404688
I would not recommend turning off UAC as it is there for a reason eventhough sometimes it is more of a pain. SImply remove the group from the permissions list. Be careful to not set deny as you could lock yourself out of accessing it. Just create an additional group as previously suggested and assign permissions to that.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24405426

Disabling UAC is going to have no effect on users if they do not have Administrative privileges. UAC is simply a protection mechanism for administrators, to prevent them taking action as an administrator without confirming it.

If users are not administrators, and only experienced admins will be logging into the server on an irregular basis (admins should use a standard account for daily work) then disabling UAC will not cause any problems.

However, I would suggest, instead, you simply change the groups on the drive, so Admins have access by way of another custom security group. This means UAC can remain enabled, which does add a little protection for admin users.

-Matt
0
 

Author Comment

by:judsoncollege
ID: 24423398
I am still confused on one thing. If I am part of the domain admins group and I add domain admins to the top level folder on E, then I would expect I can access E based on the fact that permissions say that I can. I can elevate myself so that it sees me as an amdin, but what about all of our users? If my directory structure allows for group 1 to have access to E, then they should be able to see E, but I see no difference in group 1's situation and my situation. If I set permissions to allow a group to access a folder or drive then that should be all I need. It is acting like, unless I give permissions to individuals nobody can have access. Am I missing something?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24425803

UAC works by giving any user with any form of Admin privileges (Domain Admins, Administrators) 2 'tokens':

- The Standard Token
- The Elevated Token

By default after logging in as an admin user, their session works in the Standard Token mode. This token has all the administrative privileges removed, effectively causing the user to act like any other user with standard access privileges.

The Elevated Token is only accessed when you press 'Continue' at a UAC prompt. The program/action taken when OK'ing a UAC prompt, if you are logged in as an admin, causes the elevated token to be used for that action/program, which *does* have the admin privileges.

Since you are granting Domain Admin privileges to the user, but they are not using their elevated token to access the folder, the Domain Admin privileges do not apply.

This is simply the fundamentals of UAC which, at present, there is no workaround for.

-Matt
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question