NTFS Rights Issue with UAC, logged on with Domain Admin Account
Error: “You don’t currently have permission to access this folder. Click Continue to get access to this folder.”
If you click continue the currently logged in user id will be granted security permissions to the folder. This is not a good idea and the folder permissions will get messy quick if very many domain admin accounts are accessing the folders on the server. So, what is really going on?
Here’s how to recreate the issue:
- Create a new account in Active Directory and add it to the Domain Admins security group.
- Create a Windows Server 2008 server and join it to the domain.
- By default the Domain Admins security group is added to the local Administrators group when the server is added to the domain.
- User Account Control (UAC) must be left enabled.
- Login to the server with the account created in step 1 (Not the default built-in Administrator account for the domain).
- Create a new folder on the hard drive.
- Edit the security permissions by removing inheritable permissions from the parent
object and adding the local Administrators group and SYSTEM giving them Full Control permission. - When trying to access the folder an error will display that says you do not have permission to access this folder.
- Click Cancel. If the Continue button is clicked the currently logged in user id will be granted security permissions to the folder, which will gain access to the folder, but will cause folder permissions to get messy.
- There is NOT an option to elevate privilege to gain access to the folder with the rights that were granted in step 7 which should be sufficient (i.e. full control).
This issue is the result of User Account Control (UAC). UAC is the feature in Windows Vista and Windows Server 2008 that is designed to apply the principle of least privilege.
If UAC is turned OFF this issue goes away. Also, if you login with the built-in Administrator account for the domain the issue also goes away.
After digging into UAC a little further, I found that by default UAC applies to all interactive users with the exception of the built-in administrator account. This is because the group policy Admin Approval mode is on for the built-in administrator account is disabled by default which means the built-in administrator account will logon in XP compatible mode and run all application by default with full administrator privilege with out a filtered access token. This would seem to explain why the built-in administrator is not affected by the issue created by having UAC turned ON.
Note: If the group policy Admin Approval mode is on for the built-in administrator account is enabled this issue also effects the built-in administrator account in the same way.
All other admin accounts are subject to UAC and the filtered access token. The group policy Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for Consent by default. There is not a policy to disable Admin Approval mode for non-built-in administrator accounts.
Check out the Security Policy Settings and User Account Control blog post for more details.
At this point it looks like there are two choices to get around this issue:
1) Leave UAC turn ON and use the built-in Administrator account for the domain and let everyone share the same account which is a bad security practice or
2) Turn UAC OFF and use any user account that is a member of the domain administrators group. This might not be a bad idea since UAC is really a client feature anyway.
I would consider this issue a bug. Hopefully, Microsoft will come out with a fix that will allow UAC to be left enabled.
In: Uncategorized · Tagged with: NTFS, UAC, User Account Control, Windows Server, Windows Server 2008
on September 8, 2008 at 8:38 am
Permalink
I also find this behaviour quite annoying, but I think it’s by design. http://msinfluentials.com/blogs/jesper/archive/2007/01.aspx explains the behaviour well.
What I don’t understand is why an windows explorer window opened with elevated permissions also has this issue. When running in elevated mode the Administrators group should apply I think (it does if you running cmd elevated).
on September 23, 2008 at 5:40 pm
Permalink
This is a bit of an annoyance and I’d be interested to see the reasoning behind this and the suggested “best practices” to overcome this issue.
on October 27, 2008 at 8:11 pm
Permalink
It is also interesting to note that while UAC give you prompt for a user who is a member of Domain admin, it does not prompt you if you are using domain admin “administrator” which is the orignal admin account created with the domain. Has anyone noticed this??
on November 12, 2008 at 9:53 am
Permalink
This was precisely my issue. How silly that it restricts local access for domain admins. Also worth noting is that if you are accessing these files via a network share, the Share and NTFS rights work as expected allowing the domain admin access. It’s only when logged in and accessing the files from the desktop that UAC denies access. I too think this is lame and should be addressed by Microsoft.
on December 1, 2008 at 3:45 pm
Permalink
This appears to me as nothing more than a band-aid to mis-implemented security to begin with. This totally trashes the usefulness of transitive security. I don’t disagree with the results, nor the reasoning, but the execution was half-assed like many other new “features” in the 08/ vista line-up. Wasn’t the purpose of computing to make life easier?
on December 1, 2008 at 3:51 pm
Permalink
This appears to me as nothing more than a band-aid to mis-implemented security to begin with. As described it’s supposed to prevent malware and the like from making changes while running under the login of an administrative account. On a home system this can be useful as many users never create standard accounts to use. However in a domain environment it simply does nothing more than cripple administrative progress by totally trashing the usefulness of transitive security. I don’t disagree with the results, nor the reasoning, but the execution was half-assed like many other new “features” in the 08/ vista line-up.