6

My fileserver running Windows Server 2008 has two logical drives; the C: drive contains all of the system and application data, and the D: drive contains all of the business data. There are several shares on the top level of the D: drive that are working fine. However...

When logged into the fileserver interactively via Remote Desktop, only the Domain Administrator and local Administrator accounts can browse the D: drive. I set up an account called "Maintenance" and added it to the local Administrators group, but when logged in with this user, I can't browse into the D: drive. The D: drive has the following permissions ACL:

Full Access - SYSTEM
Full Access - MACHINE\Administrators

It won't even let me view the ACL for the E: drive. So I tried taking ownership of the E: drive, then I can read the ACL, and "Effective Permissions" says that I have full access. But I still get this error message.

Location is not available
D:\ is not accessible.
Access is denied.
Kev
  • 7,777
  • 17
  • 78
  • 108
Nic
  • 13,025
  • 16
  • 59
  • 102

2 Answers2

9

Sounds like UAC to me and access to the drive requires elevation - what happens if you run a cmd shell as Administrator (while running as your Maintenance account)? Can you see the contents of the drive then? Local Administrator and Domain Admins are automatically elevated when needed under 2008 by default, I don't think mere members of the administrators account are.

Edited to add:

You can modify this behaviour by Group Policy however bear in mind that the default is set that way intentionally - the specific policy you want to change is "User Account Control: Run all administrators in Admin Approval Mode" - you can find details on how to do this in this MSDN article.

Helvick
  • 19,579
  • 4
  • 37
  • 55
  • Yes, I can see the contents of the D: drive in a cmd session running as the local machine administrator. I tested this all in the maintenance account. Did you mean UAC as opposed to UNC? – Nic Oct 18 '09 at 20:12
  • I disabled UAC on the server, and the maintenance account no longer got an access denied message on the D: drive. I would prefer to leave UAC on, but this solves my problem for now. Thanks! – Nic Oct 18 '09 at 20:34
  • Doh - fixed the typo. – Helvick Oct 18 '09 at 23:23
  • I have a user member of the Administrators group that also triggers the UAC. I guess that only the build-in administrator account does not trigger the UAC – Eduardo Molteni Oct 28 '11 at 01:58
  • Domain Admins are not automatically elevated (I am a member of Domain Admins, but when administering the file server I must be in an elevated process to see the contents of folders where my only rights are via the Domain Admin group. – Myrddin Emrys Jun 21 '12 at 12:56
0

http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspx

Changes to tokens When a user who is a member of the Administrators group in Windows® XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny access—in other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.