Windows – Why does removing the EVERYONE group prevent domain admins from accessing a drive

This is related to this question:

Domain Admins group denied access to d: drive

I have a member server in a brand new AD lab environment.

I have an Active Directory user ADMIN01 who is a member of the Domain Admins group
The Domain Admins global group is a member of the member server's local Administrators group
The following permissions are configured on the root of my new D: drive added after the server became a member of the domain:


    Everyone - Special Permissions - This folder only
      Traverse folder / execute file
      List folder / read data
      Read attributes
      Read extended attributes

    CREATOR OWNER - Special Permissions - Subfolders and files only
      Full Control

    SYSTEM - This folder, subfolders and files
      Full Control

    Administrators - This folder, subfolders and files
      Full Control

Under the above ACL's the domain user ADMIN01 can logon and access the D: drive, create folders and files and all is good.

If I remove the Everyone permission from the root of this drive then non-built-in users who are members of the Domain Admins (e.g. ADMIN01) group can no longer access the drive. The domain Administrator account is fine.

Local machine Administrator and the Domain Admin "Administrator" account still have full access to the drive, but any "regular" user who has been added to Domain Admins is denied access.

This happens regardless of whether I created the volume and removed the Everyone permission logged in as the local machine Administrator or whether I perform this logged on as the Domain Admin "Administrator" account.

As mentioned in my previous question, the work around is to disable the "User Account Control: Run all administrators in Admin Approval Mode" policy either locally on the member server or via a domain wide GPO.

Why does removing the Everyone account from D:'s ACL cause this problem for non-built-in users who are granted membership of Domain Admins?

Also why aren't these types of non-built-in Domain Admin users prompted to elevate their permissions rather than just being flat out denied access to the drive?

Best Answer

I have noticed this myself. What happens, is that UAC kicks in because you are using your "local administrators" membership to gain access to the drive, and this is excatly what UAC monitors for.

For file servers, my personal best practice is to never use the "Administrators" group to provide permissions for users.

Try this: Create an AD group called "FileServerAdmins" or whatever, add your user (or domain admin group) to it. Give this group access to the D-drive with the same permissions as the existing Administrators group.

You should notice that even after removing the "Everyone" permission any members of the "FileServerAdmins" group should still have access to the drive, without getting the UAC prompt.

I was a bit shocked myself when I discovered this a while back, it is defenitely a part of UAC that could use some revision...

Best Answer

Related Solutions

Windows – Why do the Application Compatibility Toolkit Data Collectors fail to write to the ACT Log Share

Security groups not allowing domain admin to view files

Related Topic