Solved

Windows 2008 E drive access

Posted on 2009-05-15
7
560 Views
Last Modified: 2012-05-07
Setup a new partition (E) and Users security group was a group that had full access. We allow users to remote desktop into the server to run a couple of apps. The Administrators security group on the domain has full access as well. I decided to take off the Users security group access since I don't want just anyone getting access to that drive. Not sure what that group is all about anyways. If I look at any domain account I don't see that they are part of the group, but if I look at the Users security group and look at Members I see all of the domain accounts. Anyway, I take off the Users security group and can no longer access the drive. I am an Administrator on the domain. Security says I have full access. I add the Domain Admins security group to the Security tab. Give it full access. Still nothing. I add myself with full access. I now can access the drive. What gives? It's like it doesn't recognize security groups except for the Users security group.
0
Comment
Question by:judsoncollege
  • 3
  • 2
7 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24398267

You are seeing the product of UAC on a Server 2008 machine. All users by default are running under their 'Standard' user token (this includes all Administrators). If these users have any administrative privileges, they cannot use them in this mode; the user must elevate ('OK' a UAC prompt) in order to use their Admin/Domain Admin privileges.

With only Administrators on the E: drive's NTFS properties, you are unable to access this because you do not have the appropriate Admin privileges granted in your standard token. Without elevating, your account is operating as a standard account.

The workaround is to use another group - say 'IT Users' - and grant that group the same privileges as the Administrators group. Make all Admins a member of this group too, and they can then access drive E: under their standard user token.

-Matt
0
 

Author Comment

by:judsoncollege
ID: 24403528
Do you recommend turning UAC off? Since users are remote desktoping in I don't want them to have full access to the E drive, but by default that is the permissions that the Users security group has. I have never dealt with this before so I am not sure how to limit access to the users.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24404688
I would not recommend turning off UAC as it is there for a reason eventhough sometimes it is more of a pain. SImply remove the group from the permissions list. Be careful to not set deny as you could lock yourself out of accessing it. Just create an additional group as previously suggested and assign permissions to that.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24405426

Disabling UAC is going to have no effect on users if they do not have Administrative privileges. UAC is simply a protection mechanism for administrators, to prevent them taking action as an administrator without confirming it.

If users are not administrators, and only experienced admins will be logging into the server on an irregular basis (admins should use a standard account for daily work) then disabling UAC will not cause any problems.

However, I would suggest, instead, you simply change the groups on the drive, so Admins have access by way of another custom security group. This means UAC can remain enabled, which does add a little protection for admin users.

-Matt
0
 

Author Comment

by:judsoncollege
ID: 24423398
I am still confused on one thing. If I am part of the domain admins group and I add domain admins to the top level folder on E, then I would expect I can access E based on the fact that permissions say that I can. I can elevate myself so that it sees me as an amdin, but what about all of our users? If my directory structure allows for group 1 to have access to E, then they should be able to see E, but I see no difference in group 1's situation and my situation. If I set permissions to allow a group to access a folder or drive then that should be all I need. It is acting like, unless I give permissions to individuals nobody can have access. Am I missing something?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24425803

UAC works by giving any user with any form of Admin privileges (Domain Admins, Administrators) 2 'tokens':

- The Standard Token
- The Elevated Token

By default after logging in as an admin user, their session works in the Standard Token mode. This token has all the administrative privileges removed, effectively causing the user to act like any other user with standard access privileges.

The Elevated Token is only accessed when you press 'Continue' at a UAC prompt. The program/action taken when OK'ing a UAC prompt, if you are logged in as an admin, causes the elevated token to be used for that action/program, which *does* have the admin privileges.

Since you are granting Domain Admin privileges to the user, but they are not using their elevated token to access the folder, the Domain Admin privileges do not apply.

This is simply the fundamentals of UAC which, at present, there is no workaround for.

-Matt
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question