Why does removing the EVERYONE group prevent domain admins from accessing a drive?

Question

This is related to this question:

Domain Admins group denied access to d: drive

I have a member server in a brand new AD lab environment.

• I have an Active Directory user ADMIN01 who is a member of the Domain Admins group

• The Domain Admins global group is a member of the member server's local Administrators group

• The following permissions are configured on the root of my new D: drive added after the server became a member of the domain:

    Everyone - Special Permissions - This folder only
      Traverse folder / execute file
      List folder / read data
      Read attributes
      Read extended attributes

    CREATOR OWNER - Special Permissions - Subfolders and files only
      Full Control

    SYSTEM - This folder, subfolders and files
      Full Control

    Administrators - This folder, subfolders and files
      Full Control

Under the above ACL's the domain user ADMIN01 can logon and access the D: drive, create folders and files and all is good.

If I remove the Everyone permission from the root of this drive then non-built-in users who are members of the Domain Admins (e.g. ADMIN01) group can no longer access the drive. The domain Administrator account is fine.

Local machine Administrator and the Domain Admin "Administrator" account still have full access to the drive, but any "regular" user who has been added to Domain Admins is denied access.

This happens regardless of whether I created the volume and removed the Everyone permission logged in as the local machine Administrator or whether I perform this logged on as the Domain Admin "Administrator" account.

As mentioned in my previous question, the work around is to disable the "User Account Control: Run all administrators in Admin Approval Mode" policy either locally on the member server or via a domain wide GPO.

Why does removing the Everyone account from D:'s ACL cause this problem for non-built-in users who are granted membership of Domain Admins?

Also why aren't these types of non-built-in Domain Admin users prompted to elevate their permissions rather than just being flat out denied access to the drive?

Answer 1

I have noticed this myself. What happens, is that UAC kicks in because you are using your "local administrators" membership to gain access to the drive, and this is excatly what UAC monitors for.

For file servers, my personal best practice is to never use the "Administrators" group to provide permissions for users.

Try this: Create an AD group called "FileServerAdmins" or whatever, add your user (or domain admin group) to it. Give this group access to the D-drive with the same permissions as the existing Administrators group.

You should notice that even after removing the "Everyone" permission any members of the "FileServerAdmins" group should still have access to the drive, without getting the UAC prompt.

I was a bit shocked myself when I discovered this a while back, it is defenitely a part of UAC that could use some revision...

Answer 2

It appears I'm not alone in encountering this problem. The issue at stake seems to be that non-built-in users who are Domain Admins aren't quite the full shilling when it comes to UAC and seem to be treated "specially":

Windows Server 2008 R2 and the UAC

UAC and Domain Admins permissions issue on Windows 2008 - Part 1

UAC and Domain Admins Permissions Issue or Pocket Full of Kryptonite - Part 2

The key paragraph from the last link explains:

Basically, [non-built-in users who are - (added by me)] Domain Admins, unlike ALL OTHER USERS, are given two tokens. They have the full access token (like everyone else) and a second access token referred to as the filtered access token. This filtered access token has the administrative powers removed. Explorer.exe (ie the root of all) is started with the filtered access token, and thus everything is started with it.

Think of it is as RUNAS in reverse. Rather than being a Domain Admin you are reduced to peon status. It is, in effect, kryptonite.