Security – Windows 2008 R2 NTFS file permissions not working as intended

file-sharingntfspermissionsSecuritywindows-server-2008-r2

We just got our first Windows Server 2008 R2 server in. It's going to be a file server. However, I am running into a weird issue with it that seems to be a result of UAC.

When I try to share a folder, I set the everyone group to "Full Control" on the share permissions. I then setup the NTFS permissions so they don't inherit from the default security descriptors when you format an NTFS volume and I choose to remove the current descriptors so I can setup my own. I setup so that the local administrators group has full control, the domain\Domain Admins group has full control, and the SYSTEM built in user has full control.

When I do this, I lose permissions to the folder as a domain administrator. What is causing this to happen? The machine has been joined to the domain and the Domain Admins group is part of the local administrators group (not that that should matter anyway since I specifically have the domain admins in the NTFS permissions).

This is what the default NTFS security descriptors look like:

This is what the modified security looks like:

Why would this cause the logged on domain administrator and any other domain admin to lose access? This behaviour is not seen on a Windows Server 2003 machine.

Edit: I've done some more testing and it appears only the logged on user of that machine is denied access, even though the user logged on is a member of the Domain Admins group. A Domain Admin has no problem accessing the share through the network.

Edit 2: Alright, so thank you to Zoredache below, I was able to get on the right track and figure out what was going on. It was indeed UAC but not the default UAC settings that comes on Windows Server 2008 R2. We actually have a domain wide UAC group policy object that was changing the default settings on the server.

This is the default settings:

And this is what the settings on the GPO were:

Since GPO takes precedence to local security, this is what was stopping me from seeing the NTFS permissions or gaining access to the folder.

I've fixed this behaviour by simply making a new UAC GPO and WMI filtering it to servers only.

Best Answer

You are right about mentioning the UAC. This is a feature. See this for how to disable the UAC.

Administrator File Modification Privilege

Related Topic