Avatar of Andrew N. Kowtalo
Andrew N. Kowtalo
 asked on

Unable to view all folders in shared drive unless local admin access provided to machine

I have domain users that randomly login to various workstations within their company.   When they login to windows the profile setups and all the mappings are setup, however when they open one of the shared drives the script maps they normally can only see partial folders within that drive.   If they are given local admin access to the machine reboot and then reopen the shared drive the script maps all the folders appear and are accessible.   Any idea how to fix this?
Windows 10* UNC Shared FoldersWindows OSNetworkingDNS

Avatar of undefined
Last Comment
Andrew N. Kowtalo

8/22/2022 - Mon
McKnife

When you give them local admin permissions, how do you proceed, do you add them to a local group or to a domain group, that is part of the group local administrators? If the latter, the phenomenon could possibly be explained if access based enumeration is in use at the server.
Andrew N. Kowtalo

ASKER
Its 100% strange but I add their domain login to the local administrator group.   The hard part is this company has no management over any of their employees and they just login willy nilly to whatever machine is free and expect to see everything in the data folder.  

IS there something I can add to the login script from AD that would give their profile local admin access to the machine instead of having to manually add them to the group each time they login to the machine to fix this?  I do not feel this is secure but I think local admin is needed for alot of functionality at this company.
McKnife

"local admin is needed for alot of functionality at this company" - normally, it is not, so you should investigate before you follow that thought any further.

Shares do not care whether someone is local admin or not, they are not on your machine.
If you had said "for a test, I made him domain admin" (ouch!), I would have told you that access based enumeration is the reason, since domain admins will be admins at the file server and thus, see all folders within a share with access based enumeration.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Andrew N. Kowtalo

ASKER
This company uses an EMR application that requires local admin rights.   Again I need to know why when they login they only see partial folders under their shared data drive and when they are given local admin to the machine they can then see all the folders.   It doest make sense to me.   I dont know where to look.
Andrew N. Kowtalo

ASKER
Also the server where these shared drives are mapped to is 2008
McKnife

Let's get back to your "Its 100% strange but I add their domain login to the local administrator group" - the admin groups of what system are you talking about, of the server, or of the client?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Andrew N. Kowtalo

ASKER
As I stated after adding their domain login to the local administrators group of the machine the folder contents within the share then lists all the folders within that share.   If I remove their local admin access from the machines administrators group reboot and they log back in they can only see partial folders.   I know local admin shouldn't have anything to do with that but obviously something is botched somewhere which is why this is happening.   I just dont know where.
McKnife

What machine? Client or server?
Andrew N. Kowtalo

ASKER
The machine I am referring to is the client workstation.   These users do not have their own workstations so they just login to whatever machine is available.   Its a 100% permissions problem.  I am assuming this is a permissions issue on the folder itself.    

Let me also make it clear we inherited this problem from a previous I.T. company when we took over.   They have had folder permissions so screwed up that we have been in a nonstop fixing phase putting things correctly.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
McKnife

There is no way to explain that behavior.

Please retry on a clean win10 without any software, just windows installed and domain joined,
Andrew N. Kowtalo

ASKER
Thanks for the feedback.  These are 65 brand new windows 10 pro machines out of the box.  It is happening on every machine.   Its a permissions issue from the domain.   Some how enabling local admin on the workstation changes the view in the folder.
McKnife

You keep repeating that, sorry, it cannot be explained, there is no setting to change that, so you have either some 3rd software interference or you are not aware of all factors in play.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Andrew N. Kowtalo

ASKER
Yes exactly.  I am not.   Perhaps local administrator per policy somewhere ties to domain policy and provides domain admin.  That's why I am stating I am unsure where to look.   This entire process is going to be redone eventually.   We are just trying to somewhat get it stable for now.
McKnife

"Perhaps local administrator per policy somewhere ties to domain policy and provides domain admin." - no, there's no such tie in place. The local membership does not interest anywhere but locally.
Andrew N. Kowtalo

ASKER
Yes that may be the case, however there are several administrator/ group administrator accounts on the domain that had security groups within groups that gave out these levels of access.   I have since removed them all but obviously something is still inked somewhere.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
McKnife

On the domain, you cannot add local admins to any domain resources like shares. It can't be done, there is nothing that you are missing.
Again:
-rule out 3rd party software interference
-review it again in case you missed something obvious
Andrew N. Kowtalo

ASKER
I know they do not run any third party software.   I am wondering if I should change the login script to map to a different script than the one she is using.   The logon script in AD may have limited view verse the other one.   Let me test something quick.
David Johnson, CD

compare the permissions (ntfs) on a share that has access and one that doesn't have access.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
serialband

Is this a folder that's in the User's profile folder in C:\Users\username?  The user should not ever need to be in the Administrator's group to view any folders here.

Is this some really old EMT software that needs FDA approval to upgrade, so the company needs years of approval to certify, and will charge the company an arm and a leg, so the company won't pay to upgrade, and the program was made for NT4 or Win98 and placed somewhere other than the C:\Users?  Then you just need to create a new users group, put all the users in it, and add that group to the permissions structure of the folder.  There's really no good reason to add them to the local admin group for this.
sarabande

when they open one of the shared drives the script maps they normally can only see partial folders within that drive.

does that mean they don't access the folder by means of the windows explorer but by using a script? if so, can you post the contents of the script?

what happens if you add the user explictly to the security page of the hidden folder (and all files of the folder) and check at least read access for the user? i mean to remember that i once didn't see sub folders of a share when no single file of that folder could be accessed.

Sara
David Johnson, CD

is the script/gpo running as an administrator or in computer preferences? It should be run as the user.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Andrew N. Kowtalo

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question