7

I have a brand new Active Directory (CORP-AD) installation running on Windows 2008R2. I have a domain controller (PDC01) and a member server (ME01).

The member server has a C: and a D: drive.

Part of our standard build is to remove all permissions from the root of the D: drive except for:

SYSTEM         (Full Control)
Administrators (Full Control)

I created a new domain user ADMIN01 and granted it membership of the Domain Admins group.

Domain Admins is a member of the member server's local Administrators group.

When I logon (via RDP) to the member server ME01 as the domain user ADMIN01 this user cannot access the D: drive. I then tried adding the Domain Admins group with full control to the root of the D: drive but my ADMIN01 user still cannot access the D: drive:

enter image description here

If I logon to ME01 as a local machine administrator I have no trouble accessing the D: drive at all.

I discovered this question which describes more or less the same problem:

Why can't I browse my D: drive, even if I'm in the Administrators group?

The answer suggests correctly that this is a UAC privilege elevation issue but I'm puzzled by this statement, in particular the bold part:

You can modify this behaviour by Group Policy however bear in mind that the default is set that way intentionally - the specific policy you want to change is "User Account Control: Run all administrators in Admin Approval Mode" - you can find details on how to do this in this MSDN article.

Is this suggesting that "User Account Control: Run all administrators in Admin Approval Mode" should not be disabled?

If it's enabled I don't get a UAC challenge with the "Continue" button + shield icon, I'm just plain refused access to the drive. Is this normal?

Community
  • 1
Kev
  • 7,877
  • 18
  • 81
  • 108
  • Your screenshot does not depict the access control entries for the Domain Admins (or Administrators for the matter) security group. You're showing only the ACEs for the SYSTEM built-in account. – Sean C. Jul 21 '11 at 12:52
  • @sean - I know the reason now, but I don't understand why: http://serverfault.com/questions/292663/why-does-removing-the-everyone-group-prevent-domain-admins-from-accessing-a-drive - I did mention earlier in the question that `SYSTEM`, `Domain Admins` and `Administators` have full control. The image doesn't really add much I admit. – Kev Jul 21 '11 at 13:15
  • I am currently grappling with this issue on Server 2012 R2. We have the exact same symptoms you have. Today our domain Admin Group went corrupt and no domain accounts could login to boot. We were forced to remove the server form the domain and re-add it. Once we re added it the drive permission seemed to be resolved. –  May 27 '15 at 16:39

4 Answers4

4

The reason, although I don't understand why, seems to be caused by removing the built-in Everyone group from the D: drive permissions.

I've followed this up with a new question:

Why does removing the EVERYONE group prevent domain admins from accessing a drive?

Community
  • 1
Kev
  • 7,877
  • 18
  • 81
  • 108
  • Good question. I'm confused though, in your initial post you only listed only SYSTEM and Administrators as having permissions on the D drive. Was "Everyone" in that list too? – Lucky Luke Jul 22 '11 at 21:59
  • In the above question only `SYSTEM` and `Administrators` had permissions on the `d:` drive. – Kev Jul 22 '11 at 22:30
0

Looks like it's not actually a UAC problem but someone has messed around with the permissions on the drive level.

I would log in as the local admin, then compare the permissions that are set on both the C: and the D: drives, i'll bet that the Domain Admins either where removed, or they have been explicitly denied.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • No, the Domain Admins group wasn't removed. Even with Administrators and Domain Admins given full control of `d:`, my `ADMIN01` user can access the drive ***only*** if I turn off *Run all administrators in Admin Approval Mode* . This is a brand new build, nothing else has been touched. – Kev Jul 21 '11 at 00:22
0

It sounds like someone granted Administrator not Administrators full control.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
0

Did you actually completely log off as user ADMIN01 after you made the group membership changes and added the user to the Domain Admins group?

You mentioned remote desktop a lot, maybe the session for the user was just disconnected, and group membership changes don't take into effect until the user completely logs off and logs back on (with Windows it's also possible to have two sessions open at the same time).

Does the ADMIN01 user have access to other administrative tools that only domain admins normally have access to? That would rule out whether it's a ACL issue on the drive, or a group membership/permission issue.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12