Paul Æ
asked on
Secondary domain administrator account cannot mount User Profile Disks
Hi all, my question specifically is: Why can I not mount VHDX files using a secondary domain administrator account? The specifics are below.
Environment
(Server 1) Domain Controller - Server 2016
(Server 2) RDS 1 of 2 - Server 2016
(Server 3) RDS 2 of 2 - Server 2016
User Profile Disks are housed on Server 1
Problem
I am trying to lock down the built-in Domain Administrator account so my staff cannot use it, instead using their own Domain Admin accounts (ex. Admin1). When doing this, however, I now get Access Denied errors when attempting to mount VHDX files on Server 1.
The VHDX actually does mount, but I still get an Access Denied error from these extra domain administrator accounts when attempting to mount and then attempting to enter the virtual disk.
The VHDX files security includes the Domain Admins group w/ Full Control, which Admin1 is apart of. When mounted, the virtual disk has the security group Administrators listed as Full Control; again Admin1 is also apart of this group.
Domain Users have no problems using their VHDX files, but I just can't seem to figure out how to give the additional domain admin accounts access.
We had issues in the past trying to do Exchange CU's with auxiliary admin accounts and I was wondering if maybe that was the problem here.
I am not seeing anything in the Administration, Security, or Application logs related to the access denied dialog box.
---
Any help would be appreciated, I am on a solid 20 hours working on this. A reboot after work hours did not resolve the issue unfortunately.
Environment
(Server 1) Domain Controller - Server 2016
(Server 2) RDS 1 of 2 - Server 2016
(Server 3) RDS 2 of 2 - Server 2016
User Profile Disks are housed on Server 1
Problem
I am trying to lock down the built-in Domain Administrator account so my staff cannot use it, instead using their own Domain Admin accounts (ex. Admin1). When doing this, however, I now get Access Denied errors when attempting to mount VHDX files on Server 1.
The VHDX actually does mount, but I still get an Access Denied error from these extra domain administrator accounts when attempting to mount and then attempting to enter the virtual disk.
The VHDX files security includes the Domain Admins group w/ Full Control, which Admin1 is apart of. When mounted, the virtual disk has the security group Administrators listed as Full Control; again Admin1 is also apart of this group.
Domain Users have no problems using their VHDX files, but I just can't seem to figure out how to give the additional domain admin accounts access.
We had issues in the past trying to do Exchange CU's with auxiliary admin accounts and I was wondering if maybe that was the problem here.
I am not seeing anything in the Administration, Security, or Application logs related to the access denied dialog box.
---
Any help would be appreciated, I am on a solid 20 hours working on this. A reboot after work hours did not resolve the issue unfortunately.
ASKER
McKnife, I did have UAC turned off. I turned it back on to full and got the elevation dialog box. After selection 'yes' I then get the same "E:\ is not accessible. Access is denied."
ASKER
Another item of note, the template VHDX file works just fine.
The only different in security permissions is the end domain user has full control of their VHDX, but that's necessary.
The only different in security permissions is the end domain user has full control of their VHDX, but that's necessary.
Please verify if e: is really inaccessible. Saw that before, windows saying "access denied" but the drive is nevertheless accessible.
Try to access e: from an elevated command prompt (dir e:)
ASKER
McKnife - From the built-in Administrator account, E: is accessible in every way, shape, and form. Using it from the Admin2 domain administrator account is what gives the error even though it does mount. And again, even though it does mount, we get Access Denied when trying to enter it.
We can navigate and manipulate via command prompt, but most of our guys are level 1 Engineers and new to CLI-based navigation.
As of now, the only workaround I have found is to mount it with Admin 2, getting the Access Denied error, and launchign TreeSize which gives the proper permissions and manipulating files that way, it's just not pretty.
We can navigate and manipulate via command prompt, but most of our guys are level 1 Engineers and new to CLI-based navigation.
As of now, the only workaround I have found is to mount it with Admin 2, getting the Access Denied error, and launchign TreeSize which gives the proper permissions and manipulating files that way, it's just not pretty.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: 'McKnife' (https:#a43307988)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: 'McKnife' (https:#a43307988)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
Any other domain admin needs to elevate before he may use his full access token which is needed for administrative tasks like mounting disks.
BUT: If I click on a VHDX file, I don't get access denied, but I get a UAC dialog.
SO: the only explanation that you see what you see, is that you deactivated UAC.