Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NTFS permission issue - Domain Admins group

Posted on 2012-03-12
6
Medium Priority
?
2,917 Views
Last Modified: 2012-03-21
Hi,

I am a member of the "Domain Admins" group in AD (we've got MS Windows 2008 Servers).

The group "Domain Admins" has full NTFS Permissions to our Data File Server's D: Drive and all it's subfolders.

When I login to the File Server and I click on any folder under d: it comes up with "Access Denied".

If I right-click, properties on the folder and go to the "NTFS" TAB it shows a message "To continue, you must be an administrative user with permissions to view the object's security properties" and gives a "continue" button, when I click this button it does show me the permissions of the folder and in there the "Domain Admins" group has full rights to the folder (inherited from the root of the drive, and is set to "this folder, subfolder and files")...

For what it's worth I did switch on Folder Enumeration but this should only hide folders where I've got no permissions and not deny access to visible folders where I've got full rights.

When I add myself directly to the folder with full rights it works fine, but somehow it's ignoring the fact that I am a member of Domain Admins and should through that membership have full rights to the content of the folder.

Any ideas on this strange phenomenon for 500 points... ?

Thanks,
Reinhard
0
Comment
Question by:ReinhardRensburg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:Elmar Koschka
ID: 37709078
You tried to disable UAC and Reboot ?!
0
 

Author Comment

by:ReinhardRensburg
ID: 37709097
Hi Elmar-H,

This is on the File Server itself where all the users' directories and shared directories are located, wouldn't want to disable UAC on the Server unless there's a good reason for this.

The "click continue" to view the permissions is not the thing botherhing me but rather the fact that I am a Domain Admin and cannot see data where "domain admins" have full rights.

Thanks,
Reinhard
0
 
LVL 8

Expert Comment

by:Elmar Koschka
ID: 37709103
yes shure, but for testing short deactivate uac.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 3

Expert Comment

by:awender2
ID: 37709773
Obviously you don't have full access. If you click on the continue button, you are added to the security tab, even if you were not added before.

Try it with some folder where you set access to just one user. If you click on continue, you'll be added.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 37726966
The "issue" is definitely UAC. UAC strips away the Administrator SID from your security token (except for the default admin account) while you're not working with elevated rights, so when you browse to a folder in Explorer, your membership in Domain Admins is worth nothing (that's what UAC is all about).
The "Click to continue" should, well, "bother" you--don't click it, it will add your account explicitly to the ACL; on a larger file structure, this can take quite some time, and might leave you with unintended permissions.
Ways around this:
Don't use "Domain Admins" (exclusively) to control full access; create a domain local group "FileAdmins" or whatever, give this group Full Access for the whole structure, and add the user accounts (or a global group with file admin accounts other than "Domain Admins") to this group.
Use a command window started with "Run as administrator"
Use an Explorer Clone; unlike Windows Explorer, you can start them using "Run as administrator", then you'll have full access as well as a GUI. Personally, I like FreeCommander (http://www.freecommander.com/), but there are others as well.
Disable UAC (which, according to your former comment, is not an option ...)
0
 

Author Comment

by:ReinhardRensburg
ID: 37751101
Dear oBdA,

Thank you so much for the detailed reply, that is exactly what I needed to know, all makes 100% sense now.

You are 100% correct, when I used to login as the real "Administrator" account (that came STD with AD) it never used to give me issues browsing the file structure, so the UAC is definitely the cause of this.

In your opinion is it not a "security risk" disabling UAC on Member Servers and Domain controllers? I would think it must be because it's there for a reason, so I'd rather go the other route you mentioned whereby I create local groups on the Servers and give them full rigts to the file structure then add my account to that group, sounds the safest to me.

Thanks again for the detailed explaination in your previous post, much appreciated.

Reinhard.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question