I am having an issue with the Domain Admin group rights not working properly on shared folders. Prior to sharing a folder and accessing (reading or writing data to) externally, there are no issues with access using a domain account that is a member of the domain admins group. After pushing data to this share from another NAS device using robocopy and using the /COPYALL flag, the shared folder becomes "locked down". Domain Admins with full control is a security attribute on the originating NAS share. When I try to access it, there is a box that pops up saying:
You don't currently have permissions to access this folder. Clik Continue to get access to this folder.
When you click continue it forces it's way in. Prior to and after clicking continue, if you look at the folder rights externally (from another machine accessing the share) Domain Admins has full control rights to all folder in the share. Yet a user account belonging to the Domain Admins groups logged in locally to the server gets this permissions error. Is there a policy set somewhere that is doing this? Is this a new security "feature" of Server 2008?
To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature.
With UAC enabled, when an administrator logs on, the user is assigned two separate access tokens: a full administrator access token and a standard user access token. The standard user access token is then used to start the desktop, the explorer.exe process. As a result, when you attempt to access a folder/file that requires administrator permission, a dialog box will prompt for your consent to get the full administrator access token.
For more information about UAC, refer to the following article:
Understanding and Configuring User Account Control in Windows Vista
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.