0

In Windows Server 2008, I have a shared folder.

For my username: NTFS permission (read/modify) Share Permissions (read/modify)

Result when trying to access the share: I can traverse directory and read files, but I cannot write files. When I try to examine my effective permissions, it says "Windows can't calculate the effective permissions for [My Username]".

The folder is owned by the Administrators group (the default), and NTFS read/write permissions are granted to my username, which is a member of the Administrators group.

I notice that to make any changes to the folder locally require me to acknowledge a UAC prompt. Why does that prompt appear?

I also tried creating a new group, giving it full NTFS permissions, and full control in the shared permissions, and added my username to the group. The result is even worse... I cannot even traverse the shared folder directories or read anything at all.

Triynko
  • 3,418
  • 6
  • 31
  • 30
  • Can you examine the permissions the user has on the files/folders using XCALCS and see if they line up with what the GUI is showing? http://technet.microsoft.com/en-us/library/cc773004(WS.10).aspx#BKMK_Xcacls – ITGuy24 Nov 02 '09 at 14:48
  • Are you saying that Windows Server 2008 cannot properly read and display or edit permissions correctly out-of-the-box? – Triynko Nov 02 '09 at 14:56
  • I used the icacls that comes with Windows Server 2008. It lists the same permissions. xcacls is a VBScript, and requires yet another command line-utility to run that... so I'm not touching it. – Triynko Nov 02 '09 at 15:14
  • Your NTFS permissions seem correct, what are the *share* permissions? – Wayne Hartman Nov 02 '09 at 15:48
  • Is this part of a domain? If so is the account you are using a member of the Domain Admins or just a member of local Admins? The explicit local administrator and Domain Admins will automatically elevate (no-UAC prompt), other local admins will not. – Helvick Nov 02 '09 at 16:18
  • The server is not on a domain. The Share Permissions, as I said, are read and modify. I also used "net use \\machename\sharepath /user:username password" after using the "/d" (disconnect) option to make absolutely sure I was connected to the server with the correct username. – Triynko Nov 02 '09 at 17:32

1 Answers1

1

This is how UAC works. You will find lots of documentation on UAC but they all forget to mention one thing (below).

If you are a member of the builtin administrators group and try to access a folder that allows this group to do so UAC expects you to access it in an elevated mode. If though your direct account had access to it or any other group did it would work fine (assuming you are a member of it). This issue only seems to affect the special builtin adminstrators group.

So you are meant to acces it in an elevated windows explorer right?? No, it doesn't work. Explorer is the only program that does not work from an elevated prompt, it is bugged.

Full article and work arounds I found here. It took me ages to find it http://think-like-a-computer.com/2011/05/11/uac-access-denied-on-folders-for-administrators-windows-2008/

Mucker
  • 382
  • 2
  • 10