0

My company is experiencing a number of odd behaviors with our file server (Windows 2008 R2). One issue I'm running into is with permissions, specifically permissions for the user group:Domain Admins (which I am a member).

When I try to access the folder, I'm presented (one time) that "You don't currently have permission to access this folder. Click continue to permanently get access to this folder." Once I click Continue I'm allowed to proceed, but find that my (specific) user account has been added to the NTFS permissions.

Maybe I'm misunderstanding how NTFS permissions work, but if my domain account is a member of the Domain Admin's group, shouldn't I be able to access the folder without needing to add my account individually?

David
  • 157
  • 1
  • 1
  • 10
  • 1
    Are you receiving this message on the server directly? Or from a client computer? Your description is not of a problem but of a design. When logged on to the server, or any windows computer, you are NOT an administrator. User Account Control gives you a standard user token. This is an extremely annoying problem I am well familiar with. That is why I disable UAC on all Windows Servers. It is completely useless and causes utter insane behavior with trying to manage permissions like this. Leave UAC on for clients. Disable it on servers. You only allow qualified people on your server, right? – Appleoddity Feb 02 '19 at 06:19
  • That specific message is when I try to access the folder locally. When access via UNC path, I get the message "Windows cannot access \\server\share\subfolder. You do not have permission to access \\server\share\subfolder." Again, shouldn't I be able to access the share because I'm a member of the group that has access to the folder? That's how you're supposed to give access to folders - assign a user to a group, add that group to the NTFS permissions of the folder. Or I could be wrong. :) – David Feb 05 '19 at 16:33
  • And, yes, you are absolutely correct about it being a problem of design. Or the lack of design. I'm hoping to alleviate that issue in the next iteration but I'm having a tough time tracking down good examples to follow. There's a lot of documentation on why you should do it "this way", but nothing definitive on how? – David Feb 05 '19 at 16:37
  • 1
    The problem should not occur remotely. There is NTFS permissions, but there is also “Share” permissions. Be sure to set both. Best practice says to set share permissions to everyone:Full. Then control access with NTFS permissions. UAC doesn’t affect remote access like you describe but it does affect mapped network drives and script behavior if you don’t have “enablelinkedconnections” turned on: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee844140(v=ws.10) – Appleoddity Feb 05 '19 at 22:00

1 Answers1

3

This is a function of User Account Control.

You can do one of the following to resolve/workaround this:

  1. Disable UAC on the server.

  2. Access the folder from the network rather than locally.

  3. Add your user account to another group that has the appropriate NTFS permissions on the folder.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172