Standard user can deny domain administrator access to local PC folder/directory?

"...mark deny security settings to the administrator account."
I don't even know what this means.  Are you saying the user set NTFS permissions to "Deny" for the local administrator's group?  Even if that were the case, an administrator should be able to take ownership of the folder and change the permissions any time she liked.

technically, if Domain Administrators group is NOT a member of Local Administrators group, that could happen.

One of the first things you should check is that this user is NOT an administrator of their own computer. It sounds like he/she is a hacker from the word go and will try getting away with anything and everything.

That being said it has nothing to do with a Windows Domain. It is a local PC and there is always a back door in to a local PC. They can't mess up anything you (as administrator) can't fix.

The user, "Dave" does not have a local account.  The only local user to have logged into the PC has been the administrator account.  While logged in as the Domain Administrator, I tried to access the specific folder, within his user\documents folder; I was not able to.  I logged into Dave's standard, domain account on the machine and I was able to access the folder.  I could see that he had put a deny under the folder's security permissions column.  I removed the deny settings and was able to delete the folder that was previously hidden.  What have I done wrong?

Users within their own user profile orwherethey can create folders can set ntfs permissions. As note you can as an administration assert your rights by taking over. Another option on the parent folder you can force the propagation of current permissions down to the child files and sub folders.

Logging in as the user suggests that you have their login information.


There are many ways to get this. Is there a company policy preventing users from manipulating folder permissions within their confines with the proviso that they are aware alteration could result in backup failures meaning there is a potential for data loss of.....

A backup failure log is how I detected the folders that the backup application could not access.  So you are saying that I can not limit the standard domain user from changing ntfs folder permissions?

He had just temporarily changed things. Try it again logged in as a Domain Admin. Take ownership of the folder in question. Then assign yourself rights. Domain Admins are, by default, local administrators. He can't do anything logged in as Dave from the Domain that you can't un-do logged in as a Domain Admin. You just have to brush up on your un-dos :)

Just caught your last post. Users have full control over their profile. That's just the way it is. Two comments... 1) If he is keeping critical documents from being backed up he needs to be disciplined. 2) You can overcome this, at least with Documents, by using redirected folders.

I see that I can undo what Dave, or others could do by hiding folders.  Is there a way for me to detect any other folders like this that could be on a user's computer?

Thank you for all your assistance!  Now I'll go deal with "Dave"