Unable to view all folders in shared drive unless local admin access provided to machine

When you give them local admin permissions, how do you proceed, do you add them to a local group or to a domain group, that is part of the group local administrators? If the latter, the phenomenon could possibly be explained if access based enumeration is in use at the server.

Its 100% strange but I add their domain login to the local administrator group.   The hard part is this company has no management over any of their employees and they just login willy nilly to whatever machine is free and expect to see everything in the data folder.  

IS there something I can add to the login script from AD that would give their profile local admin access to the machine instead of having to manually add them to the group each time they login to the machine to fix this?  I do not feel this is secure but I think local admin is needed for alot of functionality at this company.

"local admin is needed for alot of functionality at this company" - normally, it is not, so you should investigate before you follow that thought any further.

Shares do not care whether someone is local admin or not, they are not on your machine.
If you had said "for a test, I made him domain admin" (ouch!), I would have told you that access based enumeration is the reason, since domain admins will be admins at the file server and thus, see all folders within a share with access based enumeration.

This company uses an EMR application that requires local admin rights.   Again I need to know why when they login they only see partial folders under their shared data drive and when they are given local admin to the machine they can then see all the folders.   It doest make sense to me.   I dont know where to look.

Also the server where these shared drives are mapped to is 2008

Let's get back to your "Its 100% strange but I add their domain login to the local administrator group" - the admin groups of what system are you talking about, of the server, or of the client?

As I stated after adding their domain login to the local administrators group of the machine the folder contents within the share then lists all the folders within that share.   If I remove their local admin access from the machines administrators group reboot and they log back in they can only see partial folders.   I know local admin shouldn't have anything to do with that but obviously something is botched somewhere which is why this is happening.   I just dont know where.

What machine? Client or server?

The machine I am referring to is the client workstation.   These users do not have their own workstations so they just login to whatever machine is available.   Its a 100% permissions problem.  I am assuming this is a permissions issue on the folder itself.    

Let me also make it clear we inherited this problem from a previous I.T. company when we took over.   They have had folder permissions so screwed up that we have been in a nonstop fixing phase putting things correctly.

There is no way to explain that behavior.

Please retry on a clean win10 without any software, just windows installed and domain joined,

Thanks for the feedback.  These are 65 brand new windows 10 pro machines out of the box.  It is happening on every machine.   Its a permissions issue from the domain.   Some how enabling local admin on the workstation changes the view in the folder.

You keep repeating that, sorry, it cannot be explained, there is no setting to change that, so you have either some 3rd software interference or you are not aware of all factors in play.

Yes exactly.  I am not.   Perhaps local administrator per policy somewhere ties to domain policy and provides domain admin.  That's why I am stating I am unsure where to look.   This entire process is going to be redone eventually.   We are just trying to somewhat get it stable for now.

"Perhaps local administrator per policy somewhere ties to domain policy and provides domain admin." - no, there's no such tie in place. The local membership does not interest anywhere but locally.

Yes that may be the case, however there are several administrator/ group administrator accounts on the domain that had security groups within groups that gave out these levels of access.   I have since removed them all but obviously something is still inked somewhere.

On the domain, you cannot add local admins to any domain resources like shares. It can't be done, there is nothing that you are missing.
Again:
-rule out 3rd party software interference
-review it again in case you missed something obvious

I know they do not run any third party software.   I am wondering if I should change the login script to map to a different script than the one she is using.   The logon script in AD may have limited view verse the other one.   Let me test something quick.

compare the permissions (ntfs) on a share that has access and one that doesn't have access.

Is this a folder that's in the User's profile folder in C:\Users\username?  The user should not ever need to be in the Administrator's group to view any folders here.

Is this some really old EMT software that needs FDA approval to upgrade, so the company needs years of approval to certify, and will charge the company an arm and a leg, so the company won't pay to upgrade, and the program was made for NT4 or Win98 and placed somewhere other than the C:\Users?  Then you just need to create a new users group, put all the users in it, and add that group to the permissions structure of the folder.  There's really no good reason to add them to the local admin group for this.

when they open one of the shared drives the script maps they normally can only see partial folders within that drive.

does that mean they don't access the folder by means of the windows explorer but by using a script? if so, can you post the contents of the script?

what happens if you add the user explictly to the security page of the hidden folder (and all files of the folder) and check at least read access for the user? i mean to remember that i once didn't see sub folders of a share when no single file of that folder could be accessed.

Sara

is the script/gpo running as an administrator or in computer preferences? It should be run as the user.