Windows file permissions - Admin permissions don't seem to work as expected / access denied

Question

I have just inherited a server and I have an issue accessing some folders. I usually get this solved "in the end", usually by forcing a takeown command and then starting from scratch - but, it's annoying me and I would really like to understand why this going on.

I created a new user for myself with all the standard admin groups:

If I go to the drive holding everyone's profiles, I can see that the folders all have:

The user with full access
3 different admin users with full access
The administrator group with full access (which I am a member of).

When I click on the folder, despite being a member of the admin group, I am presented with:

If I do continue, and then look back at the folder's permissions, it has added me as an individual.

Taking the above in to consideration, my questions are:

Why does it add me as a user and not just let me in through the group I am a member of after clicking continue (above)?
At random, I get errors accessing folders within the folder - If I try to go to advanced security and add myself, then I do the "replace all child object permissions", why does it randomly give me access denied on some child items?
Why is it that even if I try to force taking ownership, I also get access denied (as an administrator)?

In the end, as I said above, I usually just end up doing a recursive takeown, but, I just feel like I am missing something here - I don't get why something seemingly simple gets complicated.

https://serverfault.com/questions/521921/ https://serverfault.com/questions/936363/ — Zoredache, Jan 06 '19 at 04:30
https://www.reddit.com/r/sysadmin/comments/5fxghz/psa_to_file_server_admins_have_uac_enabled_ever/ — Zoredache, Jan 06 '19 at 04:36

score 3 · Accepted Answer · answered Jan 06 '19 at 04:28

Why does it add me as a user and not just let me in through the group I am a member of after clicking continue

Your primary problem here is that you almost certainly have the UAC enabled on that system. Your administrator privileges are filtered away when using the file explorer for your protection.

If you view that share from a remote system the UAC filtering wouldn't apply.

When it comes to file servers with shares holding home dirs and profiles it is easier to just manage things remotely, or through the CLI. Disabling UAC is a bad idea, but that also would solve the problem.

You could also create a group other the than the build in Administrators/Domain Admins, and use that group in your ACLs. Only the built in admin groups are filtered away by the UAC.

FFS, been using Windows since 3.1 as an admin... can't believe UAC is still confusing me sometimes... can't believe that's all this is :( Well, I think I can guess the other questions I had from this! — wil, Jan 06 '19 at 15:44

Windows file permissions - Admin permissions don't seem to work as expected / access denied

1 Answers1