As per "Best Practices" staff in our IT department have two accounts. An unprivileged account and an account that is a member of the global Domain Admins ($DOMAIN\Domain Admins) group. On our file servers the Domain Admins group is added to the local Administrators ($SERVER\Administrators) group. The local Administrator group has Full Control granted on these directories. Pretty standard.
However, if I login to the server with my Domain Admin account in order to descend into that directory I need to approve a UAC prompt that says, "You don't currently have permission to access this folder. Click continue to permanently get access to this folder." Clicking continue gives my Domain Admin account permissions on that folder and anything else underneath despite $SERVER\Administrators (of which I am a member of via the Domain Admins group) already having Fully Control.
Can someone explain this behavior and what the appropriate way to manage NTFS permissions for file shares is regarding Administrative rights with Server 2008 R2 and UAC?
Best Answer
Right, UAC is triggered when a program requests administrator privileges. Such as Explorer, requesting administrator privileges, because that's what the NTFS ACLs on those files and folders require.
You have four options I'm aware of.
Disable UAC on your servers.
Manage the permissions from an elevated interface
cmdwindow,PSwindow or Explorer instance all work for avoiding the UAC popup. (Run As Administrator)Manage the NTFS permissions remotely
Create an additional non-administrative group that has full access in the NTFS ACLs to all the files and folders you want to manipulate, and assign your admins to it.