0

Background info: The admin account of a key user needs unrestricted access to a folder on a server.

-> he is working on the server per RDP or directly with the folder (shared)

Said admin account is in a domain security group called xyz, I have added group xyz to the local administrator group on the server.

However it seems to behave differently if I add xyz to the NTFS permissions(full control) or the local administrator with xyz inside (full control).

What they need is the behaviour of xyz added seperately, but why does this behave differently at all?

This behaviour seemed different on windows server 2012R2 where it didn't made any difference as far as I remember.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Kevin
  • 39
  • 8
  • Accepting an answer helps other people with the same question. If any reply was helpful, please consider accepting it. – Daniel Oct 08 '20 at 06:11

2 Answers2

3

This is the expected behavior with User Account Control. There isn't any difference between 2012 R2 and 2019.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
3

To elaborate a bit on Gregs answer on a high level, UAC filteres out user's administrator access token. So if you grant the Administrators group full access, users that are a member of that group will not have that token unless explicitly added by consenting to the UAC dialog. If you grant group xyz full access, than your user account does have that token and consequently the same permission.

So, what would you have to do to get the token? Run explorer.exe or cmd.exe (or whatever application you are using) as an administrator. This will temporarily add the access token to the process. Or deactivate UAC, but that's not ideal.

Daniel
  • 6,940
  • 6
  • 33
  • 64