• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

Security on folders - help me to understand


I have a 2012 R2 Server installed

(logged on as domain admin)

First I create folder "C:\MyTest" - "disable inheritance"

Add "domain\domain admins" - full control
Add "System" - full control

Remove all other rights

Add "Share - Everyone - full control"

When using explorer and click on C:\MyTest - I get "You dont currently have permissions to access this folder"

When clicking "Continue" I get access to the folder - but now my username is added to the folder permission.

Why? Why does the "domain admins" group not give me the rights?

Thanks in advance

1 Solution
Peter HutchisonSenior Network Systems SpecialistCommented:
Do you try to logout and login again before trying to access the folder. This is sometimes required when changing permissions to resources including folders.
mikeydkAuthor Commented:
cmsxpjh> after logout and login - still the same
Welcome to User Account Control.
This behavior is perfectly normal when UAC is enabled (note that the message popping up is not an UAC prompt; as you've noticed, it does exactly as announced!); the Administrators group's SID is stripped from the user's security token, unless you have the respective program running elevated.
Unfortunately, there's no way to start Windows Explorer elevated using "Run as Administrator" (because it displays the desktop shell, and if you're running the shell elevated, you might just as well go ahead and disable UAC), but there are several other possibilities:
* Disable UAC on the server (sort of a last resort, actually)
* Use Powershell or a command prompt started with "Run as Administrator" and command line tools to manage NTFS permissions when administrative permissions are required (for die-hard console aficionados).
* Create a dedicated domain local group "FileServerAccess_Full" or whatever, give this group Full Control permissions for the tree, and add the users or a group (other than Domain Admins!) to this group.
* Use a third party Explorer; personally, I like http://www.freecommander.com/, but there are others as well. This can be started using "Run as...", while still having a GUI.

User Account Control
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now