Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain Admin account not getting expected folder access

Posted on 2014-10-28
8
Medium Priority
?
270 Views
Last Modified: 2014-10-28
We have noticed when using the domain "administrator" account we can open folders (system and shares) on any server.
When we have an account joined to the domain administrators group it might be denied.  When effective permissions for that account are run, it shows access and FULL control.

There have been no recent changes and we should also not have to "share" folders out to add this user.  If a domain administrator it should have access to shares and non-shares.  Various servers have even denied administrator accounts to folders with schema admin. rights.  The account is listed and effective permissions check out.

Seems odd that the default account works well, but others made for administrators lack some access.

I think my next step is to clone the working account instead of adding a new account  to the administrators group and be careful which OU it is created in.

Thanks in advance for any tips or tools.
0
Comment
Question by:PostQ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 56

Accepted Solution

by:
McKnife earned 668 total points
ID: 40409545
Have you been introduced to the concept of UAC yet? Well, that's it: 1 the admin token gets removed by default, even from a domain admin. 2 the account "administrator" forms an exception.
0
 
LVL 14

Assisted Solution

by:JAN PAKULA
JAN PAKULA earned 668 total points
ID: 40409569
you could try disabling UAC via group policy - just for admin group

http://www.howtogeek.com/howto/windows-vista/disable-user-account-controluac-for-administrators-only/

might not be best solution - as it will compromise you security :)
0
 
LVL 7

Assisted Solution

by:Stampel
Stampel earned 664 total points
ID: 40409584
My tip would be that under windows, you can go into folder prroperties and remove every owner from the security tab.
If you do so, even domain administrator cannot browse this folder untill they add themselves as folder's owner !
Try to reset owner and permissions on folders / test with new created folders to see if my tip could match.
Cheers.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 56

Expert Comment

by:McKnife
ID: 40409603
"remove every owner" - there can only be one owner.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40409620
Remove every users in the security tab.
You like playing on words tonight McKnife :)
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40409624
Yep.
Well this issue is old and well-known. It's been around since UAC came with vista. That's why many file server admins turn off UAC - it just annoys them.
0
 
LVL 2

Author Closing Comment

by:PostQ
ID: 40409639
I think all the suggestions have merit as I could run into any of these at any time.  Good to know and easy to overlook the simpler fixes at times.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question