Active Directory Default Domain User permissions

I have noticed this myself. What happens, is that UAC kicks in because you are using your "local administrators" membership to gain access to the drive, and this is excatly what UAC monitors for.

For file servers, my personal best practice is to never use the "Administrators" group to provide permissions for users.

Try this: Create an AD group called "FileServerAdmins" or whatever, add your user (or domain admin group) to it. Give this group access to the D-drive with the same permissions as the existing Administrators group.

You should notice that even after removing the "Everyone" permission any members of the "FileServerAdmins" group should still have access to the drive, without getting the UAC prompt.

I was a bit shocked myself when I discovered this a while back, it is defenitely a part of UAC that could use some revision...

This can be caused by a number of things. The the three most obvious are:

1) The delegation is not inheriting correctly down the OU structure. Inspect the permissions of an actual user account object or sub-OU in AD and make sure that the group that you are delegating to is listed correctly.

2) You did not delegate the correct permissions. For simple operations like Reset Password, there are pre-defined ACEs in the delegation wizard. Run the delegation wizard on the appropriate OU and check the "Reset user password" option. This will simplify your direct interaction with the AD permissions to rule this out.

3) The user account that you are trying to reset might be protected from permission inheritance. This happens if they are a member of certain built-in AD groups. Inspect the user account in question and make sure that the admincount attribute is 0. If it is 1, then it means that it is or was a member of a protected group, such as Account Operators or Backup Operators. Active Directory does not allow permissions to inherit to these accounts.