Reinhard Rensburg
asked on
NTFS permission issue - Domain Admins group
Hi,
I am a member of the "Domain Admins" group in AD (we've got MS Windows 2008 Servers).
The group "Domain Admins" has full NTFS Permissions to our Data File Server's D: Drive and all it's subfolders.
When I login to the File Server and I click on any folder under d: it comes up with "Access Denied".
If I right-click, properties on the folder and go to the "NTFS" TAB it shows a message "To continue, you must be an administrative user with permissions to view the object's security properties" and gives a "continue" button, when I click this button it does show me the permissions of the folder and in there the "Domain Admins" group has full rights to the folder (inherited from the root of the drive, and is set to "this folder, subfolder and files")...
For what it's worth I did switch on Folder Enumeration but this should only hide folders where I've got no permissions and not deny access to visible folders where I've got full rights.
When I add myself directly to the folder with full rights it works fine, but somehow it's ignoring the fact that I am a member of Domain Admins and should through that membership have full rights to the content of the folder.
Any ideas on this strange phenomenon for 500 points... ?
Thanks,
Reinhard
I am a member of the "Domain Admins" group in AD (we've got MS Windows 2008 Servers).
The group "Domain Admins" has full NTFS Permissions to our Data File Server's D: Drive and all it's subfolders.
When I login to the File Server and I click on any folder under d: it comes up with "Access Denied".
If I right-click, properties on the folder and go to the "NTFS" TAB it shows a message "To continue, you must be an administrative user with permissions to view the object's security properties" and gives a "continue" button, when I click this button it does show me the permissions of the folder and in there the "Domain Admins" group has full rights to the folder (inherited from the root of the drive, and is set to "this folder, subfolder and files")...
For what it's worth I did switch on Folder Enumeration but this should only hide folders where I've got no permissions and not deny access to visible folders where I've got full rights.
When I add myself directly to the folder with full rights it works fine, but somehow it's ignoring the fact that I am a member of Domain Admins and should through that membership have full rights to the content of the folder.
Any ideas on this strange phenomenon for 500 points... ?
Thanks,
Reinhard
You tried to disable UAC and Reboot ?!
ASKER
Hi Elmar-H,
This is on the File Server itself where all the users' directories and shared directories are located, wouldn't want to disable UAC on the Server unless there's a good reason for this.
The "click continue" to view the permissions is not the thing botherhing me but rather the fact that I am a Domain Admin and cannot see data where "domain admins" have full rights.
Thanks,
Reinhard
This is on the File Server itself where all the users' directories and shared directories are located, wouldn't want to disable UAC on the Server unless there's a good reason for this.
The "click continue" to view the permissions is not the thing botherhing me but rather the fact that I am a Domain Admin and cannot see data where "domain admins" have full rights.
Thanks,
Reinhard
yes shure, but for testing short deactivate uac.
Obviously you don't have full access. If you click on the continue button, you are added to the security tab, even if you were not added before.
Try it with some folder where you set access to just one user. If you click on continue, you'll be added.
Try it with some folder where you set access to just one user. If you click on continue, you'll be added.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear oBdA,
Thank you so much for the detailed reply, that is exactly what I needed to know, all makes 100% sense now.
You are 100% correct, when I used to login as the real "Administrator" account (that came STD with AD) it never used to give me issues browsing the file structure, so the UAC is definitely the cause of this.
In your opinion is it not a "security risk" disabling UAC on Member Servers and Domain controllers? I would think it must be because it's there for a reason, so I'd rather go the other route you mentioned whereby I create local groups on the Servers and give them full rigts to the file structure then add my account to that group, sounds the safest to me.
Thanks again for the detailed explaination in your previous post, much appreciated.
Reinhard.
Thank you so much for the detailed reply, that is exactly what I needed to know, all makes 100% sense now.
You are 100% correct, when I used to login as the real "Administrator" account (that came STD with AD) it never used to give me issues browsing the file structure, so the UAC is definitely the cause of this.
In your opinion is it not a "security risk" disabling UAC on Member Servers and Domain controllers? I would think it must be because it's there for a reason, so I'd rather go the other route you mentioned whereby I create local groups on the Servers and give them full rigts to the file structure then add my account to that group, sounds the safest to me.
Thanks again for the detailed explaination in your previous post, much appreciated.
Reinhard.