Members of Administrators Security Group do not inherit permissions of Group
On a new Windows 2008 R2 Server, I have restricted access to a folder as follows:
Administrators - Full Control (This folder, subfolders and files only)
SYSTEM - Full Control (This folder, subfolders and files only)
CREATOR OWNER - Special (full control of subfolders and files only)
SYSTEM is the Owner
The Administrator user can browse the folder no problem, however, any other members of the Administrators group cannot browse the folder and receive Access Denied.
The other users have logged off and back in again and I have restarted the server.
The User is in the same OU as the Administrator user.
When I check effective permissions on the folder it shows that the users have full access.
Does anyone have any ideas?
Thanks
Will
Administrators - Full Control (This folder, subfolders and files only)
SYSTEM - Full Control (This folder, subfolders and files only)
CREATOR OWNER - Special (full control of subfolders and files only)
SYSTEM is the Owner
The Administrator user can browse the folder no problem, however, any other members of the Administrators group cannot browse the folder and receive Access Denied.
The other users have logged off and back in again and I have restarted the server.
The User is in the same OU as the Administrator user.
When I check effective permissions on the folder it shows that the users have full access.
Does anyone have any ideas?
Thanks
Will
ASKER
Thanks oBdA
We had just managed to get explorer to run as admin by opening command prompt run as admin and then killing explorer and starting it from the command prompt - which solved the problem when I received your response.
Therefore, are you saying that it is necessary to add the new security group (or the users) to the folder? I see that as a partial solution however, I have restricted many different folders and executables and this would be quite a lot of work to add the group to each location.
What I don't understand is that if the Domain Administrator user can log in and gain access to the folder, why when I copy its AD object and create a new user with the same memberships, does the new user not also have the same permissions? Surely there must be a registry change to fix this...
Thanks
Will
We had just managed to get explorer to run as admin by opening command prompt run as admin and then killing explorer and starting it from the command prompt - which solved the problem when I received your response.
Therefore, are you saying that it is necessary to add the new security group (or the users) to the folder? I see that as a partial solution however, I have restricted many different folders and executables and this would be quite a lot of work to add the group to each location.
What I don't understand is that if the Domain Administrator user can log in and gain access to the folder, why when I copy its AD object and create a new user with the same memberships, does the new user not also have the same permissions? Surely there must be a registry change to fix this...
Thanks
Will
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your help.
The solution we have used is two settings in GP:
Computer configuration-Policies-Win
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting
User Account Control: Run all administrators in Admin Approval Mode: Disabled
Restarted Server
The solution we have used is two settings in GP:
Computer configuration-Policies-Win
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting
User Account Control: Run all administrators in Admin Approval Mode: Disabled
Restarted Server
User Account Control Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
You can create another local (domain or local to the server) group "NTFS-Foldername-F" or whatever, then add the users or a global group containing these users (but NOT Admins/Domain Admins group!) to this group. This will allow you to use UAC while still having full access to the file system and without having to resort to a command line run as administrator (MS still doesn't offer a way to run Explorer with elevated permissions).