0

I need two accounts on a Windows 2012 Server which can act as equally as administrators via Remote Desktop. Let's say I have created accounts Alice and Bob and they are both members of the the Group Administrators.

Now Alice creates some folders on D:. If Bob logs in he can view the files, add new folders and files but cannot modify existing files or add new files. If Bob looks at the permissions of the folders it says Administrators have Full Access.

I know about UAC and that Administrators are actually only Users when they use Windows Explorer. I have seen this

Server 2008 Set Administrators to own every new file

and this

https://social.technet.microsoft.com/Forums/windowsserver/en-US/43e7165b-2397-4b04-9f3e-bba0167cd4bb/cannot-edit-files-even-though-i-have-full-control-over-them?forum=winserverfiles

but none of them really give a solution for this simple problem. I do not want to disable UAC and folders should not be change ownership just because a file needs to be edited.

What's the best practice if two administrators should automatically have unlimited access to all current and future files of each other? If possible without having to confirm UAC prompts.

Community
  • 1
AndreasS
  • 101
  • 1

1 Answers1

1

You need to permission folders with a group that the required accounts are a member of that is not protected/subject to User Account Control.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks Greg! Is there a build in Group you would recommend for this? How do I know if a build in Group is subject to UAC? Or is it better to define a custom Group? – AndreasS Aug 10 '16 at 17:13
  • You should create your own security group for this purpose. Builtin Administrators is the only group I am aware of that is subject to UAC. – Greg Askew Aug 10 '16 at 17:20
  • I have never used groups but it was very simple. Works like a charm. Thanks for your assistance! – AndreasS Aug 16 '16 at 12:50