Security on folders - help me to understand

Hey

I have a 2012 R2 Server installed

(logged on as domain admin)

First I create folder "C:\MyTest" - "disable inheritance"

Add "domain\domain admins" - full control
Add "System" - full control

Remove all other rights

Add "Share - Everyone - full control"

When using explorer and click on C:\MyTest - I get "You dont currently have permissions to access this folder"

When clicking "Continue" I get access to the folder - but now my username is added to the folder permission.

Why? Why does the "domain admins" group not give me the rights?

Thanks in advance

Mike
LVL 1
mikeydkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter HutchisonSenior Network Systems SpecialistCommented:
Do you try to logout and login again before trying to access the folder. This is sometimes required when changing permissions to resources including folders.
0
mikeydkAuthor Commented:
cmsxpjh> after logout and login - still the same
0
oBdACommented:
Welcome to User Account Control.
This behavior is perfectly normal when UAC is enabled (note that the message popping up is not an UAC prompt; as you've noticed, it does exactly as announced!); the Administrators group's SID is stripped from the user's security token, unless you have the respective program running elevated.
Unfortunately, there's no way to start Windows Explorer elevated using "Run as Administrator" (because it displays the desktop shell, and if you're running the shell elevated, you might just as well go ahead and disable UAC), but there are several other possibilities:
* Disable UAC on the server (sort of a last resort, actually)
* Use Powershell or a command prompt started with "Run as Administrator" and command line tools to manage NTFS permissions when administrative permissions are required (for die-hard console aficionados).
* Create a dedicated domain local group "FileServerAccess_Full" or whatever, give this group Full Control permissions for the tree, and add the users or a group (other than Domain Admins!) to this group.
* Use a third party Explorer; personally, I like http://www.freecommander.com/, but there are others as well. This can be started using "Run as...", while still having a GUI.

User Account Control
http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.