Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Members of Administrators Security Group do not inherit permissions of Group

Posted on 2010-08-25
4
Medium Priority
?
911 Views
Last Modified: 2013-12-04
On a new Windows 2008 R2 Server, I have restricted access to a folder as follows:

Administrators - Full Control (This folder, subfolders and files only)
SYSTEM - Full Control (This folder, subfolders and files only)
CREATOR OWNER - Special (full control of subfolders and files only)

SYSTEM is the Owner

The Administrator user can browse the folder no problem, however, any other members of the Administrators group cannot browse the folder and receive Access Denied.

The other users have logged off and back in again and I have restarted the server.

The User is in the same OU as the Administrator user.

When I check effective permissions on the folder it shows that the users have full access.

Does anyone have any ideas?

Thanks

Will
0
Comment
Question by:TSC70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 33520077
Welcome to User Account Control.
User Account Control Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx

You can create another local (domain or local to the server) group "NTFS-Foldername-F" or whatever, then add the users or a global group containing these users (but NOT Admins/Domain Admins group!) to this group. This will allow you to use UAC while still having full access to the file system and without having to resort to a command line run as administrator (MS still doesn't offer a way to run Explorer with elevated permissions).
0
 

Author Comment

by:TSC70
ID: 33520216
Thanks oBdA

We had just managed to get explorer to run as admin by opening command prompt run as admin and then killing explorer and starting it from the command prompt - which solved the problem when I received your response.

Therefore, are you saying that it is necessary to add the new security group (or the users) to the folder?  I see that as a partial solution however, I have restricted many different folders and executables and this would be quite a lot of work to add the group to each location.

What I don't understand is that if the Domain Administrator user can log in and gain access to the folder, why when I copy its AD object and create a new user with the same memberships, does the new user not also have the same permissions?  Surely there must be a registry change to fix this...

Thanks

Will
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 33520409
Well, running Explorer "elevated" like this defeats the purpose of UAC, so you could just as well disable it.
It's not *necessary* to create a specific group with Full permissions for the drive/folder, but as I said, it allows you to use UAC and Explorer as before.
There are Explorer clones/replacements which you can run elevated without interfering with Explorer.
The reason why it works with the Domain Administrator is that UAC doesn't apply to the built-in administrator account. The "registry change to fix this" is obviously to disable UAC ...
0
 

Author Comment

by:TSC70
ID: 33521482
Thanks for all your help.

The solution we have used is two settings in GP:

Computer configuration-Policies-Windows Settings-Security Settings - Local Policies/Security Options:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting
User Account Control: Run all administrators in Admin Approval Mode: Disabled

Restarted Server
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question