-2

I have a Windows 2012 R2 server where local administrator accounts (or at least one particular one) cannot access the "System Volume Information" folder. This works for the same account with the same exact permissions on another server. We use a program that scans the server's local disks which I am sure uses the backup privilege in doing so because it is normally able to bypass NTFS ACLs, but not in this case.

These are the things that I verified all the servers (working and non-working) have in common: The (service) account in question is a member of the local administrators group. The folder permissions are exactly the same (default): Allow Full Control to SYSTEM, applies to this folder, subfolders and files. UAC is also completely disabled. This to me indicates that this local admin account is not able to exert the backup privilege on this server for some reason.

My question is mainly how can this happen, and what can I do to troubleshoot it? I don't know enough about this depth of Windows security mechanisms to even know where to start. If an account is a local administrator I would expect this to work. I've searched high and low and don't see anything out of the ordinary with security groups, NTFS permissions, or group policies. I've also searched the net but unfortunately haven't been able to find anyone mentioning this kind of scenario or anything related that gives me a clue. Any help would be appreciated.

Please note that some other folders on this server suffer from the same issue, but I'm specifically discussing the system volume information folder because it is present and has the same default permissions on all the servers, making it easier to compare. Also, I have now checked the user rights assignments on the local security policy of the server with the issue, and it does grant "Back up files and directories" policy set to Administrators and Backup Operators, which seems to be the default.

optic
  • 121
  • 1
  • 2
  • 11
  • SYSTEM is not a privilege level. It's a built in role account. Giving the SYSTEM account permissions to something does not give any other account permissions to that thing. See: https://support.microsoft.com/en-us/help/120929/how-the-system-account-is-used-in-windows – Todd Wilcox Feb 12 '18 at 19:32
  • How is the scanning program run?, are we talking a local service which scans remote machines, or something running on the remote machines themselves. – Tom Feb 12 '18 at 19:43
  • Not that you know (although you might), but I'm curious why this program is scanning the file system in the first place if it's reporting on disk usage/free space. – joeqwerty Feb 12 '18 at 20:22
  • Thanks everyone. I guess my question wasn't worded very accurately/clearly, so I've edited it to hopefully improve it. – optic Feb 12 '18 at 21:20
  • Todd, I realize that and had read the article you linked, but just didn't have the proper terminology to ask the question more clearly. I've modified it. The point is that the local admin account isn't able to access a local folder bypassing NTFS ACLs, when it clearly should be able to do so. – optic Feb 12 '18 at 21:21
  • Joeqwerty, I do know - it's because this program keeps a history of the size of all folders on the drive, not just the overall disk space usage. – optic Feb 12 '18 at 21:23
  • Tom, this is a domain service account that is a member of the local administrators' group on each of the servers it scans. The program runs from a separate machine that has the scanning software installed, and it scans the servers' drives remotely. – optic Feb 12 '18 at 21:25
  • Can anyone give me a pointer, any guess as to why my question is being voted down? – optic Feb 12 '18 at 21:55

2 Answers2

1

One possible cause may be the application/code leverages backup privilege, and the account used does not have backup privilege on that server.

Accounts/applications that possess and use backup privilege bypass file system permissions.

Members of Administrators and Backup Operators groups have backup privilege by default.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks Greg. I think that that's what the issue boils down to, so your post helped me clarify my question. This account is a member of the local administrators group but seems unable to leverage the backup privilege (or whatever allows an admin account to bypass NTFS ACL) on this particular server. This works on all other servers that are seemingly configured the same way, so I hope I can find out what is causing this not to work on this particular server. – optic Feb 12 '18 at 21:28
0

It turns out that it was just a glitch after all. I removed the account in question from the local administrators group and re-added it, and it worked after that.

optic
  • 121
  • 1
  • 2
  • 11
  • I realize that this could probably be considered a bad use of serverfault since it turned out to be something simple that could have been resolved with a routine troubleshooting step. However, I'm still curious why the question was downvoted out of the gate, without any comment. – optic Feb 13 '18 at 22:24