So I configured a brand new virtual machine on a server running ESXi 6 and installed Windows Server 2012. I have added Active Directory and DNS roles. I also created a shared folder, but I can't seem to access it using another computer in the network. It seems that if I remove the Everyone group in the sharing permissions and add another group such as Administrators, I can't access it at all using administrator accounts. For some reason, if I remove the Everyone group I can't access the shared folder at all, but if I added back then I can access the shared folder.
I don't want Everyone to be able to have access, only domain admins should have access. But I can't seem to figure out why it is not working. Any ideas?
Windows – Can’t access shared folder in Windows Server 2012
windows
Related Solutions
I have noticed this myself. What happens, is that UAC kicks in because you are using your "local administrators" membership to gain access to the drive, and this is excatly what UAC monitors for.
For file servers, my personal best practice is to never use the "Administrators" group to provide permissions for users.
Try this: Create an AD group called "FileServerAdmins" or whatever, add your user (or domain admin group) to it. Give this group access to the D-drive with the same permissions as the existing Administrators group.
You should notice that even after removing the "Everyone" permission any members of the "FileServerAdmins" group should still have access to the drive, without getting the UAC prompt.
I was a bit shocked myself when I discovered this a while back, it is defenitely a part of UAC that could use some revision...
Related Topic
- Windows – Public Folder Sharing in Windows Server 2012
- Windows folder permissions, Administrators and UAC, what’s the “right” way to deal with this
- Windows Server 2012 Can’t Delete Folder/Files
- Windows – Administrative Tools Access Denied – Server 2012 R2
- Windows Server 2012 Standard RDS Access Denied for Domain Users
Best Answer
First, let me start with the fact that there are two permission types for shared folders in Windows and the security table that's checked when somebody accesses the shared resource takes into account both of these permission types.
And then let's clear up the permission types in Windows:
1st you have "share permissions" - accessed via (for example) right click on shared folder on server hosting it -> properties -> sharing -> advanced sharing -> permissions. By default you have the Everyone group here. Best practice is to remove Everyone group and add Authenticated users with full control permissions (I will clear out why below).
2nd you have "ntfs permisssion" - accessed via (for example) right click on shared folder on server hosting it -> properties -> security. Since the resultant security policies take into account both permission types you just control the access to the folder here - you set up through your entire organisation shared permissions that give access to all authenticated users of your domain to the resource and set up the "actual" security via ntfs permissions - for example, add access only to domain admins.
By default Windows only allows users to access folders if they have permissions for it - meaning you don't ever need to use "deny" permissions to deny somebody access to a folder, if you didn't explicitly give them access to the folder they won't have it. So to make sure only domain admins can access that particular folder simply set up full control shared permissions for auth. users, add full control to the domain admins group via ntfs permissions and you'd be done.
PS - best recommendation again (also it's generally easier if you do it like this :)) is to set up 3 domain local groups per shared folder and assign them the following ntfs permissions on the folder - full control, write/modify, read only and simply add the users/groups to the respective access group - that way it's much easier to audit access to a folder, and to see which folders can a user access with what permissions.