Windows 2008 E drive access

Setup a new partition (E) and Users security group was a group that had full access. We allow users to remote desktop into the server to run a couple of apps. The Administrators security group on the domain has full access as well. I decided to take off the Users security group access since I don't want just anyone getting access to that drive. Not sure what that group is all about anyways. If I look at any domain account I don't see that they are part of the group, but if I look at the Users security group and look at Members I see all of the domain accounts. Anyway, I take off the Users security group and can no longer access the drive. I am an Administrator on the domain. Security says I have full access. I add the Domain Admins security group to the Security tab. Give it full access. Still nothing. I add myself with full access. I now can access the drive. What gives? It's like it doesn't recognize security groups except for the Users security group.
judsoncollegeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tigermattCommented:

You are seeing the product of UAC on a Server 2008 machine. All users by default are running under their 'Standard' user token (this includes all Administrators). If these users have any administrative privileges, they cannot use them in this mode; the user must elevate ('OK' a UAC prompt) in order to use their Admin/Domain Admin privileges.

With only Administrators on the E: drive's NTFS properties, you are unable to access this because you do not have the appropriate Admin privileges granted in your standard token. Without elevating, your account is operating as a standard account.

The workaround is to use another group - say 'IT Users' - and grant that group the same privileges as the Administrators group. Make all Admins a member of this group too, and they can then access drive E: under their standard user token.

-Matt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
judsoncollegeAuthor Commented:
Do you recommend turning UAC off? Since users are remote desktoping in I don't want them to have full access to the E drive, but by default that is the permissions that the Users security group has. I have never dealt with this before so I am not sure how to limit access to the users.
0
OriNetworksCommented:
I would not recommend turning off UAC as it is there for a reason eventhough sometimes it is more of a pain. SImply remove the group from the permissions list. Be careful to not set deny as you could lock yourself out of accessing it. Just create an additional group as previously suggested and assign permissions to that.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

tigermattCommented:

Disabling UAC is going to have no effect on users if they do not have Administrative privileges. UAC is simply a protection mechanism for administrators, to prevent them taking action as an administrator without confirming it.

If users are not administrators, and only experienced admins will be logging into the server on an irregular basis (admins should use a standard account for daily work) then disabling UAC will not cause any problems.

However, I would suggest, instead, you simply change the groups on the drive, so Admins have access by way of another custom security group. This means UAC can remain enabled, which does add a little protection for admin users.

-Matt
0
judsoncollegeAuthor Commented:
I am still confused on one thing. If I am part of the domain admins group and I add domain admins to the top level folder on E, then I would expect I can access E based on the fact that permissions say that I can. I can elevate myself so that it sees me as an amdin, but what about all of our users? If my directory structure allows for group 1 to have access to E, then they should be able to see E, but I see no difference in group 1's situation and my situation. If I set permissions to allow a group to access a folder or drive then that should be all I need. It is acting like, unless I give permissions to individuals nobody can have access. Am I missing something?
0
tigermattCommented:

UAC works by giving any user with any form of Admin privileges (Domain Admins, Administrators) 2 'tokens':

- The Standard Token
- The Elevated Token

By default after logging in as an admin user, their session works in the Standard Token mode. This token has all the administrative privileges removed, effectively causing the user to act like any other user with standard access privileges.

The Elevated Token is only accessed when you press 'Continue' at a UAC prompt. The program/action taken when OK'ing a UAC prompt, if you are logged in as an admin, causes the elevated token to be used for that action/program, which *does* have the admin privileges.

Since you are granting Domain Admin privileges to the user, but they are not using their elevated token to access the folder, the Domain Admin privileges do not apply.

This is simply the fundamentals of UAC which, at present, there is no workaround for.

-Matt
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.