We help IT Professionals succeed at work.

Unable to view all folders in shared drive unless local admin access provided to machine

I have domain users that randomly login to various workstations within their company.   When they login to windows the profile setups and all the mappings are setup, however when they open one of the shared drives the script maps they normally can only see partial folders within that drive.   If they are given local admin access to the machine reboot and then reopen the shared drive the script maps all the folders appear and are accessible.   Any idea how to fix this?
Comment
Watch Question

Distinguished Expert 2019

Commented:
When you give them local admin permissions, how do you proceed, do you add them to a local group or to a domain group, that is part of the group local administrators? If the latter, the phenomenon could possibly be explained if access based enumeration is in use at the server.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Its 100% strange but I add their domain login to the local administrator group.   The hard part is this company has no management over any of their employees and they just login willy nilly to whatever machine is free and expect to see everything in the data folder.  

IS there something I can add to the login script from AD that would give their profile local admin access to the machine instead of having to manually add them to the group each time they login to the machine to fix this?  I do not feel this is secure but I think local admin is needed for alot of functionality at this company.
Distinguished Expert 2019

Commented:
"local admin is needed for alot of functionality at this company" - normally, it is not, so you should investigate before you follow that thought any further.

Shares do not care whether someone is local admin or not, they are not on your machine.
If you had said "for a test, I made him domain admin" (ouch!), I would have told you that access based enumeration is the reason, since domain admins will be admins at the file server and thus, see all folders within a share with access based enumeration.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
This company uses an EMR application that requires local admin rights.   Again I need to know why when they login they only see partial folders under their shared data drive and when they are given local admin to the machine they can then see all the folders.   It doest make sense to me.   I dont know where to look.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Also the server where these shared drives are mapped to is 2008
Distinguished Expert 2019

Commented:
Let's get back to your "Its 100% strange but I add their domain login to the local administrator group" - the admin groups of what system are you talking about, of the server, or of the client?
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
As I stated after adding their domain login to the local administrators group of the machine the folder contents within the share then lists all the folders within that share.   If I remove their local admin access from the machines administrators group reboot and they log back in they can only see partial folders.   I know local admin shouldn't have anything to do with that but obviously something is botched somewhere which is why this is happening.   I just dont know where.
Distinguished Expert 2019

Commented:
What machine? Client or server?
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
The machine I am referring to is the client workstation.   These users do not have their own workstations so they just login to whatever machine is available.   Its a 100% permissions problem.  I am assuming this is a permissions issue on the folder itself.    

Let me also make it clear we inherited this problem from a previous I.T. company when we took over.   They have had folder permissions so screwed up that we have been in a nonstop fixing phase putting things correctly.
Distinguished Expert 2019

Commented:
There is no way to explain that behavior.

Please retry on a clean win10 without any software, just windows installed and domain joined,
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Thanks for the feedback.  These are 65 brand new windows 10 pro machines out of the box.  It is happening on every machine.   Its a permissions issue from the domain.   Some how enabling local admin on the workstation changes the view in the folder.
Distinguished Expert 2019

Commented:
You keep repeating that, sorry, it cannot be explained, there is no setting to change that, so you have either some 3rd software interference or you are not aware of all factors in play.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Yes exactly.  I am not.   Perhaps local administrator per policy somewhere ties to domain policy and provides domain admin.  That's why I am stating I am unsure where to look.   This entire process is going to be redone eventually.   We are just trying to somewhat get it stable for now.
Distinguished Expert 2019

Commented:
"Perhaps local administrator per policy somewhere ties to domain policy and provides domain admin." - no, there's no such tie in place. The local membership does not interest anywhere but locally.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
Yes that may be the case, however there are several administrator/ group administrator accounts on the domain that had security groups within groups that gave out these levels of access.   I have since removed them all but obviously something is still inked somewhere.
Distinguished Expert 2019

Commented:
On the domain, you cannot add local admins to any domain resources like shares. It can't be done, there is nothing that you are missing.
Again:
-rule out 3rd party software interference
-review it again in case you missed something obvious
Andrew N. KowtaloSupport Center Engineer

Author

Commented:
I know they do not run any third party software.   I am wondering if I should change the login script to map to a different script than the one she is using.   The logon script in AD may have limited view verse the other one.   Let me test something quick.
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:
compare the permissions (ntfs) on a share that has access and one that doesn't have access.
Is this a folder that's in the User's profile folder in C:\Users\username?  The user should not ever need to be in the Administrator's group to view any folders here.

Is this some really old EMT software that needs FDA approval to upgrade, so the company needs years of approval to certify, and will charge the company an arm and a leg, so the company won't pay to upgrade, and the program was made for NT4 or Win98 and placed somewhere other than the C:\Users?  Then you just need to create a new users group, put all the users in it, and add that group to the permissions structure of the folder.  There's really no good reason to add them to the local admin group for this.
Top Expert 2016

Commented:
when they open one of the shared drives the script maps they normally can only see partial folders within that drive.

does that mean they don't access the folder by means of the windows explorer but by using a script? if so, can you post the contents of the script?

what happens if you add the user explictly to the security page of the hidden folder (and all files of the folder) and check at least read access for the user? i mean to remember that i once didn't see sub folders of a share when no single file of that folder could be accessed.

Sara
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:
is the script/gpo running as an administrator or in computer preferences? It should be run as the user.
Support Center Engineer
Commented:
I found the issue the issue to be their profile.   I fully deleted the profile had them relog back in and that fixed it.