Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Admin file permissions error

Answered Admin file permissions error

  • Wednesday, January 23, 2013 7:44 PM
     
     
    Sign In to Vote
    0

    Hi,

    On our Server 2012 DC I log in with my Domain Admin credentials and using Windows Explorer I changed an F:\ drive's permissions to allow only BUILTIN\Administrators group access. Once I did this I can no longer access the drive even though I'm logged in as a Domain Admin and a member of the BUILTIN\Administrators group.

    As a test I can launch an elevated Command Prompt or Powershell and access the F:\ drive. But I not understanding why I can't access via Windows Explorer now?

    Any help appreciated.  David

     

All Replies

  • Thursday, January 24, 2013 12:18 PM
     
     
    Sign In to Vote
    0
    I may be wrong but is the administrators group not an elevated group in 2012, try running explorer.exe elevated does this give you access? If it deos you could just add domain admins to the folder and I would guess this would get around the problem.

    8B17

     
  • Thursday, January 24, 2013 12:54 PM
     
     
    Sign In to Vote
    0

    I suppose the cause of your issue is that Windows Explorer runs without administrator privileges on default setting because it runs in the same process as the first launched one (without administrator privileges) in logging in.

    Could you see the following article and try the work around in it?

    http://setspn.blogspot.jp/2010/11/using-windows-explorer-together-with.html

    Yutaka




    • Edited by Yutaka, N Thursday, January 24, 2013 12:54 PM
    • Edited by Yutaka, N Thursday, January 24, 2013 1:00 PM
    • Edited by Yutaka, N Thursday, January 24, 2013 1:02 PM
    •  
     
  • Thursday, January 24, 2013 8:51 PM
     
     
    Sign In to Vote
    0

    Thanks for the replies.

    On Windows Server 2012 I'm not seeing that Windows Explorer offers a RunAs Administrator or I'd give that a try.

    I do find I can access the drive/folders as a share over the network with the same permissions set as those where when I'm logged in locally on the server and can't. So its some type of account protection that must be going on here when logged in locally.

    I see the default permission on the drives includes "Authenticated Users" with mostly full permissions - when I remove this is group is when I can't access locally. The "Authenticated Users" group though should be an aggregate of all groups that can autheticate on the server so which make it very open. I have to remove that group so I can set more strict permissions to control how its accessed over the network.

     
  • Friday, January 25, 2013 6:05 AM
     
     
    Sign In to Vote
    0

    Hi David,

    As per my understanding your issue is, you are not able to access your F:\ drive after changing permissions.  Have you checked with the Administrator login?, as you said you are able to Log-in through the eleveted CMD/Powershell.  But not via Windows explorer.  Because while you are logging through the Domain Admin account which is also a group of Bultin\Administrators Group, but there is one thing missing after creating the ADDS any Login primary Group is related to ADDS only.  In your case Domain Admin Group is your account Primary group & BUILTIN\Administrators group is secondary thus it is not allowing you to login.

    Thanks & Regards Narendra Tiwary

     
  • Friday, January 25, 2013 9:08 PM
     
     Answered Has Code
    Sign In to Vote
    0

    Thanks for the reply. As some have noted on this thread its a basic UAC issue when logging in as an as someone in the Administrators group coupled with my desire to restrict access to drive/folders using the Administrators group.

    I found this thread that discusses the same issue I'm having,

    http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/fedbb110-556d-4d2f-83bb-fb679c125cc3

    Shaon Shan (moderator) responded with this helpful reply,

    If a user account belong to local Administrators 
account and only the Administrators group has permission on a folder, all 
admins except Administrator account will not have permission to access it.
    
This is because all accounts in local Administrators group are 
working as standard accounts. When an Administrator action need to be 
performed, a prompt will occurs for permission to promote to admin 
permission. As only Administrators group has permission
 on a folder and the account we are using is working like a standard 
account, we will be denied from accessing.
A workaround is to create a new group for all admins and give the group enough permission for accessing the target folder.
Or you could run all accounts in Administrators group in Admin mode. See this article:
UAC Group Policy Settings and Registry Key Settings
http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

    As others on the above thread point out even if you relax UAC the Admin Approval mode is still enabled. The workaround, as the above linked technet article discusses, is to edit the registry and set the "Run all Administrators in Admin Approval Mode" EnableLUA setting to "0".

    Of course that basically disables UAC which I'd rather not do but it makes it additionally difficult to mange files which are restricted to admins using Windows Explorer when logged into the server hosting the files.