none
Windows 2008 Domain Account into Local Administrators Group No Rights

    Question

  • Hi,

    I have a Windows 2008 Server SP2, that is a domain member, I have made a domain user a member of the local administrators group.
    When I logon with this user to test, it doesn't get the rights.  I.e. I browse the file system and any folders that require administrator permissions I get access denied if I check on the UAC prompt I can get permission but Read and Execute.  It doesn't seem to be picking up that the user is a member of the local admins

    Anyone have any ideas how to fix this? 

    Thanks

    Gareth
    Thursday, November 26, 2009 4:04 PM

Answers

  • Hi,

     

    Thanks for your update.

     

    The test result indicates that the user account has permission to perform administrative task.

     

    Based on the current situation, a possible cause of the issue is that the ACL of the folder is too restricted. With UAC enabled, the administrator’s full access token is split into two access tokens: standard user token and administrative token, in order to protect the system. The standard token is then used to launch explorer.exe. Therefore, you may encounter some unexpected behaviors when you try to access the file system with the user’s standard token.

     

    You can run the command cacls FolderPath to dump the ACL of the folder and post the output here for further research.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Tuesday, December 08, 2009 4:05 AM
    Tuesday, December 01, 2009 7:14 AM

All replies

  • You can see all effective group memberships in your user token by starting a cmd.exe and run the command "whoami /groups" command. Does it list the local administrator account?
    Thursday, November 26, 2009 6:30 PM
  • Thanks for reply,

    The account lists the BUILTIN\Administrators group, is this the local administrators?

    Thanks

    Gareth

    Friday, November 27, 2009 10:13 AM
  • Yes, that is the local administrators group which means that the user is properly included and should be able to access the files and folders that require administrator access. What to the Access Control Entries look like for the folders you are trying to access and where are the files and folders located?
    Friday, November 27, 2009 10:36 AM
  • Administrators Full Control,  If I do effective permissions on the folder for the user it returns Full Control also,  but when I access the folder I get the UAC prompt saying I don't have access.  I can give myself access but it adds my user with read and execute.

    I must be getting some of the administrator functions as I can do this, and other things like view all the hardware without restrictions, add users to groups etc.

    Thanks

    Gareth
    Friday, November 27, 2009 11:16 AM
  • Hi Gareth,

     

    Do you mean that you cannot perform any administrative task with this user account? Please logon the server with the user account, run services.msc and let me know the result. Does the system prompt for consent or for credentials for a valid administrator account? You may refer to the “UAC User Experience” section at http://technet.microsoft.com/en-us/library/cc507861.aspx.

     

    Meanwhile, in order to narrow down the cause of the issue, please temporarily turn off UAC on the Windows Server 2008 computer to see if the issue goes away.

     

    Turn User Account Control on or off

    http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, November 30, 2009 3:00 AM
  • Hi,

    Yes when I run services.msc as the user I get the UAC Prompt I just continue through I am can also services mmc and stop and start services etc.

    I have turned UAC off, I will need to schedule in reboot though....

    Does UAC run down to the file system then?

    Thanks

    Gareth
    Monday, November 30, 2009 10:22 AM
  • Hi,

     

    Thanks for your update.

     

    The test result indicates that the user account has permission to perform administrative task.

     

    Based on the current situation, a possible cause of the issue is that the ACL of the folder is too restricted. With UAC enabled, the administrator’s full access token is split into two access tokens: standard user token and administrative token, in order to protect the system. The standard token is then used to launch explorer.exe. Therefore, you may encounter some unexpected behaviors when you try to access the file system with the user’s standard token.

     

    You can run the command cacls FolderPath to dump the ACL of the folder and post the output here for further research.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Tuesday, December 08, 2009 4:05 AM
    Tuesday, December 01, 2009 7:14 AM
  • Hi,

    How's everything going? I've not heard back from you in a few days and wanted to check the current status of the issue. If you need any further assistance, please do not hesitate to respond back.

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, December 04, 2009 8:56 AM
  • The same problem is in Windows Vista, 7 and Windows Server 2008 and 2008 R2 (All OS's with UAC)

    I have set rights to the root of drive D that only the group administratos and System have Full Control.
    When I am logded on as Administrator I have Full Control
    When I am logged on as another user (who is also a member of the adrministrators group) I get an Access is denied

    You have to disable UAC to gain access to the folders.

    In Windows XP (and below) or Server 2003 R2 (and below) you don't have this problem, because UAC does not exist in these OS's.

    Somehow I am missing the point WHY UAC would block folder access. But I am sure Microsoft has their reasons.

    Kind regards

    Friday, January 08, 2010 1:09 PM
  • Any resolution to this issue?  I'm experiencing the same problem.  The only solution I have found is disabling UAC by running 'Start' --> 'Run' --> 'msconfig' --> 'Tools' --> 'Change UAC Settings' --> 'Launch' --> 'Never Notify'.

    This appears to turn off UAC, which seems a little drastic.

    Monday, April 12, 2010 7:41 PM
  • This only turns off the notifications when something is changed. Still doesn't allow total administrative access.
    Thursday, April 22, 2010 10:06 PM
  • It appears with Windows 2008 R2, making a user a member of the Administrators group is not enough. 

    Logon as Administrator

    Go to Control Panel -> User Accounts, select the user you want to make an administrator, select Account Type and change the radio botton a "Standard User" to "Administrator".

    Thursday, May 06, 2010 6:35 PM
  • Correction to the previous post, it should read:

    Logon as Administrator

    Go to Control Panel -> User Accounts, select Manage another account, select the user you want to make an administrator, select Account Type and change the radio button to "Standard User" to "Administrator" and click Change Account Type button.

    Thursday, May 06, 2010 6:41 PM
  • We have the same problem at my company. The admins do not have a local account which i could change to account type "Administrator". Every admin has an AD account, which are members of an AD group which is member of the local administrators group, but unable to access folders where the local administrators groups have full access. I need to assign folder permissions to the AD group directly, otherwise they are unable to access the files and folders. Because we have many independent folders which do not inherit their permissions from above this is a real pain. What could we do?

    Monday, May 17, 2010 9:10 PM
  • I'm experiencing a very similar issue on Windows Server 2008 Standard SP2.

    Some folders/files have permissions for a Group I have created and the Administrator group. Everyone including the Default Administrator has access. The only one that doesn't is my created account which has been added to the local administrators group.

     

    I can manually edit the Folder/File Permissions to get in there, but it's quite annoying considering the Administrator group is in there, and my account is apart of this group.

     

    Any other updates on the issue for everyone else?

     

    Tuesday, June 08, 2010 12:35 AM
  • Is there a solution to this as we have this problem on a lot of servers ?
    Wednesday, December 08, 2010 10:55 AM
  • Hi,

     

    is there a solution to this yet as we have the same problem on a lot of servers and would prefer not to turn off uac


    Garry IT Project manager
    Wednesday, December 08, 2010 10:59 AM
  • I'm having the same issue. I created a user, added him to the administrator group, but he doesn't have admin rights. Can't create folders, can't run as service, etc. It looks like if I use one of the solutions here, go through control panel and access his user account there and change him to an administrator, that will probably work. Unfortunately, I can't test that right now, since our primary application is running under his login, so I can't change his account type. I'll try this evening to log him off, change his account type and have him log back on in the morning and try to run the app as a service. I'll report back here and let everyone know. Why would a user who is added to the admin group not be an admin? And why is this a feature of control panel instead of computer management?
    Tuesday, December 28, 2010 7:21 PM
  • Well, that didn't do it. My user still can't do things. Is anyone at Microsoft still monitoring this discussion? Why would you have an administrator group that doesn't have administrator privileges?
    Wednesday, December 29, 2010 4:19 PM
  • First off, Windows Explorer cannot be run elevated, which will result in any user member of the administrators group not be seen by Windows Explorer as an adminisrtrator, that is the effect of UAC acting and is by design. I've witten some words about a few of the problems this produce at http://www.theexperienceblog.com/2010/09/18/case-of-the-mysterious-issues-in-windows-7-and-windows-server-2008-r2/ 
    Blogging about Windows for IT pros at www.theexperienceblog.com
    Wednesday, December 29, 2010 8:09 PM
  • So then the "fix" is to disable UAC, so that anyone who is a member of the adminstrator group actually gets the privileges we anticipate he/she should get?  I can do that.  It just seems to defeat the purpose of both the Administrator group AND the UAC. 

     

    Friday, December 31, 2010 7:43 PM
  • The only solution I see is to disable UAC. You can install various antivirus programs that give you UAC like capabilities without interfering with User Permissions. FortiClient with enable startup list monitoring is one such program.

     

    Tuesday, January 11, 2011 12:16 AM
  • What are the options here (disable AUC)?    We are seeing the same type of issue with our windows 2008 r2.     Why would Microsoft not give the option "Run as" in windows explorer - will this be in any service packs or perhaps a hotfix?

     

     

    Thursday, January 20, 2011 2:02 AM
  • A similar problem applies to printers - couldn't work out why adding a domain user account to the local administrators group would not allow the user to add a local printer as per the local administrator account.  Same solution, so thank you.
    Wednesday, March 16, 2011 3:21 PM