I have secured a drive on my server to only allow Local Administrators
access. Domain Admins
are part of the Local Administrators
group.
When I log on as an administrator, the folder is only accessible if I grant myself permissions directly to the drive (rather than using the nested permissions of the Local Administrators
group). However, if I end the Explorer.exe process, and run it as an administrator, I have access using nested permissions.
If I log on as the local administrator, everything works fine. None of the domain administrator accounts can open the drive without granting themselves permissions.
To make things weirder, if a domain admin access the drive as a network share, or as an administrative share, everything works fine as well.
This has happened to me with both Server 2012 R2 and 2008 R2.
Best Answer
UAC is Modifying Your Administrative Permissions
The behavior you're describing is by design. It's the result of your account having its effective membership in the local machine's
Administrators
group stripped by User Account Control (UAC):Here's a visual description of what's going on:![enter image description here](https://i.stack.imgur.com/1I0Dt.gif)
Even though your user account is an effective member of the Local
Administrators
group, those permissions aren't present in your access token when you access the drive, resulting in your being denied permissions (or being prompted by UAC to grant your account explicit permissions to access the drive). Conversely, when your user account is granted explicit permissions to the drive you have normal access since only your membership in theAdministrators
group is stripped by UAC.When you logon with the built-in Administrator account, UAC is disabled by default. As a result, the above token filtering process doesn't take place.
UAC has no effect on resources located across the network. It only operates on the local computer. Therefore since these accounts have access to the resources, and UAC isn't filtering that access, they're not prevented from accessing the object.
A Secure Workaround
Since disabling UAC is discouraged for sake of increased security, use this simple workaround:
Data Volume Administrators
Domain Administrators
a member of theData Volume Administrators
groupData Volume Administrators
group NTFS Full Control permissions to the volume.The net effect is that you'll have full access to the object since UAC won't strip your membership from the
Data Volume Administrators
group.