Windows 2008 R2 NTFS file permissions not working as intended

We just got our first Windows Server 2008 R2 server in. It's going to be a file server. However, I am running into a weird issue with it that seems to be a result of UAC.

When I try to share a folder, I set the everyone group to "Full Control" on the share permissions. I then setup the NTFS permissions so they don't inherit from the default security descriptors when you format an NTFS volume and I choose to remove the current descriptors so I can setup my own. I setup so that the local administrators group has full control, the domain\Domain Admins group has full control, and the SYSTEM built in user has full control.

When I do this, I lose permissions to the folder as a domain administrator. What is causing this to happen? The machine has been joined to the domain and the Domain Admins group is part of the local administrators group (not that that should matter anyway since I specifically have the domain admins in the NTFS permissions).

This is what the default NTFS security descriptors look like:

This is what the modified security looks like:

Why would this cause the logged on domain administrator and any other domain admin to lose access? This behaviour is not seen on a Windows Server 2003 machine.

Edit: I've done some more testing and it appears only the logged on user of that machine is denied access, even though the user logged on is a member of the Domain Admins group. A Domain Admin has no problem accessing the share through the network.

Edit 2: Alright, so thank you to Zoredache below, I was able to get on the right track and figure out what was going on. It was indeed UAC but not the default UAC settings that comes on Windows Server 2008 R2. We actually have a domain wide UAC group policy object that was changing the default settings on the server.

This is the default settings:

And this is what the settings on the GPO were:

Since GPO takes precedence to local security, this is what was stopping me from seeing the NTFS permissions or gaining access to the folder.

I've fixed this behaviour by simply making a new UAC GPO and WMI filtering it to servers only.

I'm going to read this now, but is disabling UAC really a good idea?

The question and answers have a couple other suggestions. For example you could simply use a different group other then Domain Admins. The UAC filtering only happens when you are on the file server, so you could manage things from the network. If your 'server' is only acting as a file server and nothing, else there really isn't much risk in disabling the UAC. One would hope that you are never running or doing anything on the file server console other then managing the fileserver.

basically ms put out updated guidance on uac and it all boiled down to whether admins can surf the net from a given device. If not then they said disable uac!

Unfortunately I'm not the only sysadmin here and the other guys may possibly use IE to google troubleshooting issues in the future. I would hope they would use their own computers for this purpose but I can't guarantee it wouldn't happen. This is my sole reason for not wanting to disable UAC. At least now that I know what is causing the behaviour, I can decide how I want to handle this.

I've fixed the issue and edited it in my original post, thank you for your help.