Domain Admin account not getting expected folder access

We have noticed when using the domain "administrator" account we can open folders (system and shares) on any server.
When we have an account joined to the domain administrators group it might be denied.  When effective permissions for that account are run, it shows access and FULL control.

There have been no recent changes and we should also not have to "share" folders out to add this user.  If a domain administrator it should have access to shares and non-shares.  Various servers have even denied administrator accounts to folders with schema admin. rights.  The account is listed and effective permissions check out.

Seems odd that the default account works well, but others made for administrators lack some access.

I think my next step is to clone the working account instead of adding a new account  to the administrators group and be careful which OU it is created in.

Thanks in advance for any tips or tools.
LVL 2
PostQAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Have you been introduced to the concept of UAC yet? Well, that's it: 1 the admin token gets removed by default, even from a domain admin. 2 the account "administrator" forms an exception.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JAN PAKULAICT Infranstructure ManagerCommented:
you could try disabling UAC via group policy - just for admin group

http://www.howtogeek.com/howto/windows-vista/disable-user-account-controluac-for-administrators-only/

might not be best solution - as it will compromise you security :)
0
StampelCommented:
My tip would be that under windows, you can go into folder prroperties and remove every owner from the security tab.
If you do so, even domain administrator cannot browse this folder untill they add themselves as folder's owner !
Try to reset owner and permissions on folders / test with new created folders to see if my tip could match.
Cheers.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

McKnifeCommented:
"remove every owner" - there can only be one owner.
0
StampelCommented:
Remove every users in the security tab.
You like playing on words tonight McKnife :)
0
McKnifeCommented:
Yep.
Well this issue is old and well-known. It's been around since UAC came with vista. That's why many file server admins turn off UAC - it just annoys them.
0
PostQAuthor Commented:
I think all the suggestions have merit as I could run into any of these at any time.  Good to know and easy to overlook the simpler fixes at times.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.