Solved

Windows 2008 E drive access

Posted on 2009-05-15
7
553 Views
Last Modified: 2012-05-07
Setup a new partition (E) and Users security group was a group that had full access. We allow users to remote desktop into the server to run a couple of apps. The Administrators security group on the domain has full access as well. I decided to take off the Users security group access since I don't want just anyone getting access to that drive. Not sure what that group is all about anyways. If I look at any domain account I don't see that they are part of the group, but if I look at the Users security group and look at Members I see all of the domain accounts. Anyway, I take off the Users security group and can no longer access the drive. I am an Administrator on the domain. Security says I have full access. I add the Domain Admins security group to the Security tab. Give it full access. Still nothing. I add myself with full access. I now can access the drive. What gives? It's like it doesn't recognize security groups except for the Users security group.
0
Comment
Question by:judsoncollege
  • 3
  • 2
7 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24398267

You are seeing the product of UAC on a Server 2008 machine. All users by default are running under their 'Standard' user token (this includes all Administrators). If these users have any administrative privileges, they cannot use them in this mode; the user must elevate ('OK' a UAC prompt) in order to use their Admin/Domain Admin privileges.

With only Administrators on the E: drive's NTFS properties, you are unable to access this because you do not have the appropriate Admin privileges granted in your standard token. Without elevating, your account is operating as a standard account.

The workaround is to use another group - say 'IT Users' - and grant that group the same privileges as the Administrators group. Make all Admins a member of this group too, and they can then access drive E: under their standard user token.

-Matt
0
 

Author Comment

by:judsoncollege
ID: 24403528
Do you recommend turning UAC off? Since users are remote desktoping in I don't want them to have full access to the E drive, but by default that is the permissions that the Users security group has. I have never dealt with this before so I am not sure how to limit access to the users.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24404688
I would not recommend turning off UAC as it is there for a reason eventhough sometimes it is more of a pain. SImply remove the group from the permissions list. Be careful to not set deny as you could lock yourself out of accessing it. Just create an additional group as previously suggested and assign permissions to that.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24405426

Disabling UAC is going to have no effect on users if they do not have Administrative privileges. UAC is simply a protection mechanism for administrators, to prevent them taking action as an administrator without confirming it.

If users are not administrators, and only experienced admins will be logging into the server on an irregular basis (admins should use a standard account for daily work) then disabling UAC will not cause any problems.

However, I would suggest, instead, you simply change the groups on the drive, so Admins have access by way of another custom security group. This means UAC can remain enabled, which does add a little protection for admin users.

-Matt
0
 

Author Comment

by:judsoncollege
ID: 24423398
I am still confused on one thing. If I am part of the domain admins group and I add domain admins to the top level folder on E, then I would expect I can access E based on the fact that permissions say that I can. I can elevate myself so that it sees me as an amdin, but what about all of our users? If my directory structure allows for group 1 to have access to E, then they should be able to see E, but I see no difference in group 1's situation and my situation. If I set permissions to allow a group to access a folder or drive then that should be all I need. It is acting like, unless I give permissions to individuals nobody can have access. Am I missing something?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24425803

UAC works by giving any user with any form of Admin privileges (Domain Admins, Administrators) 2 'tokens':

- The Standard Token
- The Elevated Token

By default after logging in as an admin user, their session works in the Standard Token mode. This token has all the administrative privileges removed, effectively causing the user to act like any other user with standard access privileges.

The Elevated Token is only accessed when you press 'Continue' at a UAC prompt. The program/action taken when OK'ing a UAC prompt, if you are logged in as an admin, causes the elevated token to be used for that action/program, which *does* have the admin privileges.

Since you are granting Domain Admin privileges to the user, but they are not using their elevated token to access the folder, the Domain Admin privileges do not apply.

This is simply the fundamentals of UAC which, at present, there is no workaround for.

-Matt
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now