Domain Admins group denied access to d: drive

windows windows-server-2008 active-directory permissions uac
36,997

The reason, although I don't understand why, seems to be caused by removing the built-in Everyone group from the D: drive permissions.

I've followed this up with a new question:

Why does removing the EVERYONE group prevent domain admins from accessing a drive?

Share:
36,997

Related videos on Youtube

Kev
Author by

Kev

###Actively looking for freelance work ###About Me: I'm a professional software developer and have spent my time building provisioning and web based self-service systems for IIS, Apache and Citrix XenServer, amongst other things. My Curriculum Vitae can be viewed on Stack Overflow Careers (might be a bit out of date). Stuff I like to listen to at last.fm You can get in touch here: kevin.e.kenny #@# gmail.com (you know what to do with the # and spaces). No Survey Emails Please. Also not ashamed to admit I like trains, mostly diesels, late Era 8 (BR Sectorisation) and Era 9 onwards :) I'm also interested in signalling if anyone from Network Rail is looking this far down ;)

Updated on September 18, 2022

Comments

  • Kev
    Kev over 1 year

    I have a brand new Active Directory (CORP-AD) installation running on Windows 2008R2. I have a domain controller (PDC01) and a member server (ME01).

    The member server has a C: and a D: drive.

    Part of our standard build is to remove all permissions from the root of the D: drive except for:

    SYSTEM         (Full Control)
Administrators (Full Control)

    I created a new domain user ADMIN01 and granted it membership of the Domain Admins group.

    Domain Admins is a member of the member server's local Administrators group.

    When I logon (via RDP) to the member server ME01 as the domain user ADMIN01 this user cannot access the D: drive. I then tried adding the Domain Admins group with full control to the root of the D: drive but my ADMIN01 user still cannot access the D: drive:

    enter image description here

    If I logon to ME01 as a local machine administrator I have no trouble accessing the D: drive at all.

    I discovered this question which describes more or less the same problem:

    Why can't I browse my D: drive, even if I'm in the Administrators group?

    The answer suggests correctly that this is a UAC privilege elevation issue but I'm puzzled by this statement, in particular the bold part:

    You can modify this behaviour by Group Policy however bear in mind that the default is set that way intentionally - the specific policy you want to change is "User Account Control: Run all administrators in Admin Approval Mode" - you can find details on how to do this in this MSDN article.

    Is this suggesting that "User Account Control: Run all administrators in Admin Approval Mode" should not be disabled?

    If it's enabled I don't get a UAC challenge with the "Continue" button + shield icon, I'm just plain refused access to the drive. Is this normal?

    • Admin
      Admin almost 13 years
      Your screenshot does not depict the access control entries for the Domain Admins (or Administrators for the matter) security group. You're showing only the ACEs for the SYSTEM built-in account.
    • Admin
      Admin almost 13 years
      @sean - I know the reason now, but I don't understand why: serverfault.com/questions/292663/… - I did mention earlier in the question that SYSTEM, Domain Admins and Administators have full control. The image doesn't really add much I admit.
    • Admin
      Admin almost 9 years
      I am currently grappling with this issue on Server 2012 R2. We have the exact same symptoms you have. Today our domain Admin Group went corrupt and no domain accounts could login to boot. We were forced to remove the server form the domain and re-add it. Once we re added it the drive permission seemed to be resolved.
  • Kev
    Kev almost 13 years
    Nope, it was definitely Administrators, it was me that built the server.
  • Kev
    Kev almost 13 years
    No, the Domain Admins group wasn't removed. Even with Administrators and Domain Admins given full control of d:, my ADMIN01 user can access the drive only if I turn off Run all administrators in Admin Approval Mode . This is a brand new build, nothing else has been touched.
  • Kev
    Kev almost 13 years
    Not just logged off, but rebooted the server too.
  • Lucky Luke
    Lucky Luke almost 13 years
    Good question. I'm confused though, in your initial post you only listed only SYSTEM and Administrators as having permissions on the D drive. Was "Everyone" in that list too?
  • Kev
    Kev almost 13 years
    In the above question only SYSTEM and Administrators had permissions on the d: drive.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to run a program with elevated permissions from a limited permission user account without administrator password?
Active Directory Allow User to Install Only
Why add computers to Active directory domain?
Full permissions on folder when remoted in, but read only through the network
Automate UAC to not prompt for admin user/pass when app needs "run as administrator"
How can I see all users of domain in this PC?
What local group should user belong to be able to run windows task as that user
How to Get user info from different domain
Cannot open any applications on windows server 2008 R2 Standard edition
How to escalate to administrative token in Windows 7 using only CMD.exe