Windows – Secured drive only available if Windows Explorer is run as an Administrator


I have secured a drive on my server to only allow Local Administrators access. Domain Admins are part of the Local Administrators group.

When I log on as an administrator, the folder is only accessible if I grant myself permissions directly to the drive (rather than using the nested permissions of the Local Administrators group). However, if I end the Explorer.exe process, and run it as an administrator, I have access using nested permissions.

If I log on as the local administrator, everything works fine. None of the domain administrator accounts can open the drive without granting themselves permissions.

To make things weirder, if a domain admin access the drive as a network share, or as an administrative share, everything works fine as well.

This has happened to me with both Server 2012 R2 and 2008 R2.

Best Answer

UAC is Modifying Your Administrative Permissions

The behavior you're describing is by design. It's the result of your account having its effective membership in the local machine's Administrators group stripped by User Account Control (UAC):

When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. By default, when a member of the local Administrators group logs on, the administrative Windows privileges are disabled and elevated user rights are removed, resulting in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all applications run as a standard user by default unless a user provides consent or credentials to approve an application to use a full administrative access token. (Source: TechNet)

Here's a visual description of what's going on: enter image description here

Even though your user account is an effective member of the Local Administrators group, those permissions aren't present in your access token when you access the drive, resulting in your being denied permissions (or being prompted by UAC to grant your account explicit permissions to access the drive). Conversely, when your user account is granted explicit permissions to the drive you have normal access since only your membership in the Administrators group is stripped by UAC.

If I log on as the local administrator, everything works fine.

When you logon with the built-in Administrator account, UAC is disabled by default. As a result, the above token filtering process doesn't take place.

...If a domain admin access the drive as a network share, or as an administrative share, everything works fine as well.

UAC has no effect on resources located across the network. It only operates on the local computer. Therefore since these accounts have access to the resources, and UAC isn't filtering that access, they're not prevented from accessing the object.

A Secure Workaround

Since disabling UAC is discouraged for sake of increased security, use this simple workaround:

  1. Create an domain group, such as Data Volume Administrators
  2. Make Domain Administrators a member of the Data Volume Administrators group
  3. Grant the Data Volume Administrators group NTFS Full Control permissions to the volume.

The net effect is that you'll have full access to the object since UAC won't strip your membership from the Data Volume Administrators group.

Related Question