No announcement yet.

Domain Admins group permissions not applying

  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Admins group permissions not applying

    Hello everyone,

    I am attempting to apply NTFS permissions on a virtualized Windows Server Standard 2008 and for some reason am encountering an issue where I cannot grant access to the Domain Admins group.

    Share permissions are set to "Everyone\Full Control."

    NTFS permissions are set to Domain Admins\Full Control, with Domain Users granted read/write (Read & execute, List folder contents, and Read).

    When I do a whoami /groups, it shows that my account is a member of the domain admins group, but I cannot access the folder without overriding the permissions (I get the "You don't currently have permission" dialog box, with the option of permanently gaining access by individually adding my user account to the ACL.

    Note that if I create a group and give it full access, it works just fine, so I can work around the issue by creating domain\IT_Admins and giving it full access, but I'm curious if I'm doing something wrong or if something is screwed up with that user group or with AD. Also, fwiw, I can grant full access to Domain Users, and that works without issue, but granting full access to Administrators does not.

    I wouldn't think it would have any impact, but the DC and the file server are both virtualized servers in a VMware ESXi environment, version 4.1.0.

  • #2
    Re: Domain Admins group permissions not applying

    I might also add that if I look at the "Effective Permissions" tab, it shows that Domain Admins has full control, yet that is obviously not the case.


    • #3
      Re: Domain Admins group permissions not applying

      It an expected behavior that is part of UAC:
      Members of any of the default groups for administrators (local administrators, domain admins ect. ect.*) are denied access to recourses that explicitly requires you are member of that admin group (like you have configured using the 'domain admins' group in the security settings on the folder). Unless you specifically had started the proces (explorer, command prompt or application) to access the resourse using the 'run as administrator' option.

      In order to allow elevation for administrators when started the proces normally, you should create a new group. You can nest the admins group in to the new group. Now use the new group to set the permissions on the folder, instead of using the admins group.

      *) a list of all the windows default admin groups that will be denied access this way, is showed at 3:35 in this TechEd video: If you can make time for it I would recommend to watch the full video.

      Additionally, you might also like to change UAC's behavior of the elevation prompt for administrators to Elevate without Prompting. Note: This can only be configured with a GPO or local security Policy.

      Last edited by Rems; 14th August 2012, 07:57.

      This posting is provided "AS IS" with no warranties, and confers no rights.


      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts