Wednesday, January 23, 2013 7:44 PM
On our Server 2012 DC I log in with my Domain Admin credentials and using Windows Explorer I changed an F:\ drive's permissions to allow only BUILTIN\Administrators group access. Once I did this I can no longer access the drive even though I'm logged in as a Domain Admin and a member of the BUILTIN\Administrators group.
As a test I can launch an elevated Command Prompt or Powershell and access the F:\ drive. But I not understanding why I can't access via Windows Explorer now?
Any help appreciated. David
Thursday, January 24, 2013 12:18 PMI may be wrong but is the administrators group not an elevated group in 2012, try running explorer.exe elevated does this give you access? If it deos you could just add domain admins to the folder and I would guess this would get around the problem.
Thursday, January 24, 2013 12:54 PM
I suppose the cause of your issue is that Windows Explorer runs without administrator privileges on default setting because it runs in the same process as the first launched one (without administrator privileges) in logging in.
Could you see the following article and try the work around in it?
Thursday, January 24, 2013 8:51 PM
Thanks for the replies.
On Windows Server 2012 I'm not seeing that Windows Explorer offers a RunAs Administrator or I'd give that a try.
I do find I can access the drive/folders as a share over the network with the same permissions set as those where when I'm logged in locally on the server and can't. So its some type of account protection that must be going on here when logged in locally.
I see the default permission on the drives includes "Authenticated Users" with mostly full permissions - when I remove this is group is when I can't access locally. The "Authenticated Users" group though should be an aggregate of all groups that can autheticate on the server so which make it very open. I have to remove that group so I can set more strict permissions to control how its accessed over the network.
Friday, January 25, 2013 6:05 AM
As per my understanding your issue is, you are not able to access your F:\ drive after changing permissions. Have you checked with the Administrator login?, as you said you are able to Log-in through the eleveted CMD/Powershell. But not via Windows explorer. Because while you are logging through the Domain Admin account which is also a group of Bultin\Administrators Group, but there is one thing missing after creating the ADDS any Login primary Group is related to ADDS only. In your case Domain Admin Group is your account Primary group & BUILTIN\Administrators group is secondary thus it is not allowing you to login.
Thanks & Regards Narendra Tiwary
Friday, January 25, 2013 9:08 PM
Thanks for the reply. As some have noted on this thread its a basic UAC issue when logging in as an as someone in the Administrators group coupled with my desire to restrict access to drive/folders using the Administrators group.
I found this thread that discusses the same issue I'm having,
Shaon Shan (moderator) responded with this helpful reply,
If a user account belong to local Administrators account and only the Administrators group has permission on a folder, all admins except Administrator account will not have permission to access it.
This is because all accounts in local Administrators group are working as standard accounts. When an Administrator action need to be performed, a prompt will occurs for permission to promote to admin permission. As only Administrators group has permission on a folder and the account we are using is working like a standard account, we will be denied from accessing. A workaround is to create a new group for all admins and give the group enough permission for accessing the target folder. Or you could run all accounts in Administrators group in Admin mode. See this article: UAC Group Policy Settings and Registry Key Settings http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx
As others on the above thread point out even if you relax UAC the Admin Approval mode is still enabled. The workaround, as the above linked technet article discusses, is to edit the registry and set the "Run all Administrators in Admin Approval Mode" EnableLUA setting to "0".
Of course that basically disables UAC which I'd rather not do but it makes it additionally difficult to mange files which are restricted to admins using Windows Explorer when logged into the server hosting the files.