Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
Domain Admin unable to access NTFS Drive
I have a Windows Server 2016 member server that has a C: and a F: drive.
As Part of our standard file server build we remove all permissions from the root of the F: drive except for:
SYSTEM (Full Control)
Administrators (Full Control)
I've created a new domain user 'jakeadmin' and granted it membership of the Domain Admins group.
Domain Admins is a member of the member server's local Administrators group.
When I logon (via RDP) to the member server FILESERVER-01 as the domain user 'jakeadmin' this user cannot access the F: drive. I then tried adding the Domain Admins group with full control to the root of the F: drive but my 'jakeadmin' user still cannot access the F: drive:
If I logon to Fileserver-01 as a local machine administrator I have no trouble accessing the F: drive at all.
Why can't I browse my F: drive, even if I'm in the Administrators group?
I don't see turning off UAC as a solution - It's a terrible idea..
FYI: Effective Permissions below: (As you can see, everything is OK)
As Part of our standard file server build we remove all permissions from the root of the F: drive except for:
SYSTEM (Full Control)
Administrators (Full Control)
I've created a new domain user 'jakeadmin' and granted it membership of the Domain Admins group.
Domain Admins is a member of the member server's local Administrators group.
When I logon (via RDP) to the member server FILESERVER-01 as the domain user 'jakeadmin' this user cannot access the F: drive. I then tried adding the Domain Admins group with full control to the root of the F: drive but my 'jakeadmin' user still cannot access the F: drive:
If I logon to Fileserver-01 as a local machine administrator I have no trouble accessing the F: drive at all.
Why can't I browse my F: drive, even if I'm in the Administrators group?
I don't see turning off UAC as a solution - It's a terrible idea..
FYI: Effective Permissions below: (As you can see, everything is OK)
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
@McKnife Thank you for your input -
I have deployed Windows server 2012 file servers in the past and configured them the same yet I am able to browse the drive letter in question.. I'm reluctant to changing registry entries and accessing explorer using the 'Run as' mechanism ..
all administrators should be able to access all aspects of the file server.
Really can't get my head around this one..
Thanks again
I have deployed Windows server 2012 file servers in the past and configured them the same yet I am able to browse the drive letter in question.. I'm reluctant to changing registry entries and accessing explorer using the 'Run as' mechanism ..
all administrators should be able to access all aspects of the file server.
Really can't get my head around this one..
Thanks again
It was the same since UAC came up and this behavior is normal. If it worked on 2012 then either you used the built-in account "administrator", for which UAC is non-effective or UAC was even off. The registry editing is the best way, else, you will have to use a different explorer like total commander which can be run as administrator by default, or you will need to work with the account "administrator".
So if I was to access the server with the built in domain admin account DOMAIN\Administrator I would be able to see the drive?
If that is the case, would be be best practice to create a new group called Data Managers and assign the domain admin group to that? (Or individual members?)
If that is the case, would be be best practice to create a new group called Data Managers and assign the domain admin group to that? (Or individual members?)
Yes, administrator local and domain\administrator would both work right away.
No, that would not work, since the domain admin token needs elevation. You would need to add the individual account names to that group "data managers".
No, that would not work, since the domain admin token needs elevation. You would need to add the individual account names to that group "data managers".
are you sure jack is indeed an administrator on that server, just in case, can you try to have jack setting up a dummy account or browsing the security event log ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016
From novice to tech pro — start learning today.
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Identity … 440 lessons
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Identity … 440 lessons
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Installatio… 312 lessons
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Networki… 282 lessons
-
Windows Server 2016Certification: MCSE Microsoft Certified Systems Engineer - Securing… 324 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Outlook 2013 Par… 191 lessons
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
• start regedit.exe and go to the following key:
HKEY_CLASSES_ROOT\AppID\{C
• make a right click on Permissions and set your user as owner (click on advanced button to be able to take ownership) of the key and give your current user writing permissions.
• Next, rename the value RunAs to _Runas
Afterwards, you can righ clck explorer.exe and choose "run as administrator" and the problem is solved.