Windows 2008 domain admin has no rights
in [Windows Servers]
|
From: Bonno Bloksma on 23 Feb 2010 07:52 Hi, Meinolf, > Please post all configured share and NTFS permissions on the d-drive here. As the disk is praticaly blank and I am on a remote session console.... There is no other share then the default D$ share but I'm not using it. Permissions on the D: disk are now: CREATOR OWNER (special) = Default SYSTEM (FC) = Default Domain Admins (FC) = Added by me Administrators (FC) = Default Settings in local policy are: UAC: Admin approval Mode for the built-in.... Disabled UAC: Allow UIAccess applications ... Disabled UAC: Behavior of the ellevation prompt for Administrator ... Prompt for consent UAC: Behavior of the ellevation prompt for standard users ... Prompt for credentials UAC: Detect application installations and ... Enabled UAC: Only elevate executables that are signed... Disabled UAC: Only elevate UIAccess applications that are... Enabled UAC: Run all Administrators in Admin Approval mode Enabled UAC: Switch to the secure desktop when ... Enabled UAC: Virtualize file and registry ... Enabled. As far as I know we have not enabled any Vista/Win2k8 setting in our policies. We are very reluctand to to anything with GPOs as they always seems to have more effected then intended. :-( When logged on as Domain Admin trying to access the D: disk on the server I get a flat deny, no prompt. Different server: On another server I have so far circumvented the problem by leaving all default permissions in place but that means EVERYONE has rights to the root directory. Which is not to big a problem as D$ and Remote console is only open to Administrators, but still.... On the subdirectories, which I share to my users, I then block inheritance and add all permissions I want. Group "Administrators" has Full Control. I can access the directory as normal users have permission to read the directory/files. But.... If I create a text file (using notepad) on my client machine and store it in the directory where "Administrators" has write permissions there is no problem. If I use notepad on the server to save a file to that same directory I get a permission denied. "You don't have permission to save in this location." etc. I get no UAC prompt to ask me if I want to save the file, just a flat denied. If I right click in the directory and select create new directory I get a UAC prompt, select yes and I can create the directory. Seems there is something realy wrong with the way AUC works on Windows 2008 servers. The only solution is probably to disable it completely. >>>> The realy wierd stuf starts when I want to go to the D: drive which >>>> is >>>> just a second primary >>>> partition on the array. With the standard permissions assigned by >>>> Windows, where normal users have >>>> persmission to access the root of the drive, I can access the drive >>>> as >>>> well. >>>> When I remove the permission for normal users and leave everything >>>> else in place, I as domain admin >>>> have NO ACCESS to open the root directory of the D: drive. :-( >>>> I have tried removing the server form the domain and adding it to >>>> the >>>> domain once more, no go. >>>> I have delete the partition and added it once more, no go. As soon >>>> as I remove the rights for normal users I cannot access the drive >>>> anymore. >>>> >>> What you see belongs to the UAC settings, Except the local >>> administrator/domain administrator account all domain admins are >>> belonging to UAC. >>> >> So far I understand what you mean but... >> >>> So either reconfigure(LOWER) the security settings with disabling UAC >>> or use the GPO settings in: Computer configuration, windows settings, >>> security settings, local policies, security options, in the right >>> pane you will find a detailed option for configuration of the UAC. >>> >> I have found those options and indeed I can disable the UAC altogether >> for the domain admins but... >> If it is indeed a UAC thing then why am I completely denied access to >> the root of the D: drive in >> stead of just getting a UAC prompt? >> Why does the system not even ask me whether the action I want to >> perform is indeed what I want? >> Bonno Bloksma >> > > |