Local Admin Account gets"Access Denied"

On a Windows 2008 R2 server I have two local accounts, the Local administrator account and Local Test account. The local Test account is a member of the local administrators group.

 The server has 3 local drives C:\, F:\ and G:\. The Local administrator account has no problems accessing all three local drives. The local Test account has no problems accessing local drives C: and G:, however every time I try to access local drive (F:) using the Local Test account I get Access denied even though the local test account is a member of the local administrators group.

What can cause the local Test account to be denied access to local drive (F:) ?
ei00004Network AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kash2nd Line EngineerCommented:
can you see the test admin in security full access permissions on the drive properties?
gilnovSystems AdministratorCommented:
Two possible scenarios come to mind: 1) the F drive is shared with more restrictive permissions (when share permissions conflict with NTFS permissions, the more restrictive permissions prevail), 2) share or NTFS permissions allow DOMAIN admins access but not local admins.
gilnovSystems AdministratorCommented:
Scratch that. I misread the question. I was thinking one account was a domain admin but I see both are local admins. I would still examine NTFS vs share permissions on the top level of the F drive as well as any group membership differences between the two accounts.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

ei00004Network AdministratorAuthor Commented:
Kash - The Test admin does not have access permission to the drive, but the local administrators group has full permissions to the drive in which test is a member.

Gilnov - Yes they are both local accounts, I'm re-checking the perms now. Not sure why the local administrators group is not giving the Test account full perms to the drive. The local administrators group has full permissions to the drive.
gilnovSystems AdministratorCommented:
Check group memberships on both accounts. Test may be in a group which local admin is not that is more restrictive on F (most restrictive permissions prevail).
ei00004Network AdministratorAuthor Commented:
Gilnov - re-checked, Test is a member of the local administrators group only, same as the local administrators account. I'm restarting the server now.
gilnovSystems AdministratorCommented:
Which will log out both accounts and give new security tokens with new access permissions.
ei00004Network AdministratorAuthor Commented:
Ok restarting the server changed nothing. So I tried giving the Test account FULL perms to the F:\ drive (in addition to it already being a member of the local administrators group which has FULL perms). Now the Test account can access the F:\ drive's root level folders, however when I try to access subfolders and files I get the error message:

You don't currently have permission to access this folder.
Click "Continue" to permanently get access to this folder.

Once I click "Continue", it then gives Test access to the subfolders below the root folder.
gilnovSystems AdministratorCommented:
Is F being shared?
ei00004Network AdministratorAuthor Commented:
The root of F is not, just the standard admin share (F$). However there are several folders on F that ARE shared.
gilnovSystems AdministratorCommented:
Hmmmm....what SHARE permissions (as opposed to NTFS) does test admin have on F?
ei00004Network AdministratorAuthor Commented:
I just created Test account and added it to the local administrators group so I don't think it has any share permissions. I also like to add that the F and G drives are local attached via iSCSI Array, not physical drives located inside the server. Also the data on the F and G drives are Robo-copied from a primary server . But the local Test account had no problems accessing the G drive, so F should be similar.
gilnovSystems AdministratorCommented:
Have you checked permissions in the iSCSI Array filesystem? If the Robocopy job is copying permissions from another location, your test account will need to be included on the original filesystem.
ei00004Network AdministratorAuthor Commented:
I used the Robocopy switch that copies the files and folder permissions from the primary server, so the permissions should be (and they are) the same. The Test account does not exist on the original filesystem, but (I thought) adding it to the local administrators group should give it full perms to all folders.

Sorry to make this so convoluted by throwing in Robocope and the iSCSI array. However I think I've found a fix. I can run the Subinacl command on this server and force it to give the Test account FULL perms to all files and folders.

Subinacl /subdirectories F:\*.* /grant=test_account=F

I've tested it on a few folders with several subfolders that I could not access before using the test account, now I have full access to them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gilnovSystems AdministratorCommented:
I'm not terribly familiar with Robocopy but won't you have to run subinacl every time robocopy updates the F drive because it will reset permissions? Either that or the test account will be denied access to any new files and folders created after today. Does Robocopy let you assign permissions when it runs jobs or just copy/not copy existing permissions? I'm really not sure you how you can add a Windows local account to an iSCSI array file system. Do either of the Windows local admin accounts have permissions set on the original file system?

Another thought: the built-in administrator account has some default permissions that aren't conferred by membership in the local admin group. I suspect if you were to conduct and experiment and remove the default admin account from the local admin group it would still be able to access the files on F.

Have you looked at Effective permissions for the test and default admin accounts on the F drive and some sub folders? How do they compare?
ei00004Network AdministratorAuthor Commented:
Q: Won't you have to run subinacl every time robocopy updates the F drive because it will reset permissions?
A: Good question, I'm not sure at this point, I know it's not resetting the perms for the local administrator. Guess I'll find out soon.

Q: Does Robocopy let you assign permissions when it runs jobs or just copy/not copy existing permissions?
A: I know it can copy/not copy existing permissions, I don't think it can actually assign perms.

Q: I'm really not sure you how you can add a Windows local account to an iSCSI array file system.
A: The iSCSI array shows up in the server O.S. as a hard drive, the server addresses it just like any local hard drive. You assign perms just like you would to any Windows filesystem.

Q: Do either of the Windows local admin accounts have permissions set on the original file system?
A: Nope, the local administrators account and test account exist only on the local server. Remember these are local admin accounts. They should have rights granted to anything placed on that drive. Same as if I copied a file to your computer, you would have rights to it.

Q: I suspect if you were to conduct and experiment and remove the default admin account from the local admin group it would still be able to access the files on F.
A: That's possible, I don't want to take a chance on breaking it since the local admin account works.

Q: Have you looked at Effective permissions for the test and default admin accounts on the F drive and some sub folders? How do they compare?
A: The local admin account has full rights to any subfolder or file I choose to look at. However the local test account did not, but the local admins group does. That's the part I don't understand, since the local test account is in the local admin group.
gilnovSystems AdministratorCommented:
That just doesn't make sense. Try taking test out of local admin group, reboot the server, login with default admin account, add test back to local admin group, reboot and test access.
ei00004Network AdministratorAuthor Commented:
I will try that if I get the "Access Denied" error again. But for now the Subinacl command resolved the issue.
Thanks for all your help.
gilnovSystems AdministratorCommented:
No problem. Good luck.
ei00004Network AdministratorAuthor Commented:
My own comment was a workaround solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.