Why does removing the EVERYONE group prevent domain admins from accessing a drive?
This is related to this question:
Domain Admins group denied access to d: drive
I have a member server in a brand new AD lab environment.
I have an Active Directory user
ADMIN01who is a member of theDomain AdminsgroupThe
Domain Adminsglobal group is a member of the member server's localAdministratorsgroupThe following permissions are configured on the root of my new
D:drive added after the server became a member of the domain:
Everyone - Special Permissions - This folder only
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
CREATOR OWNER - Special Permissions - Subfolders and files only
Full Control
SYSTEM - This folder, subfolders and files
Full Control
Administrators - This folder, subfolders and files
Full Control
Under the above ACL's the domain user ADMIN01 can logon and access the D: drive, create folders and files and all is good.
If I remove the Everyone permission from the root of this drive then non-built-in users who are members of the Domain Admins (e.g. ADMIN01) group can no longer access the drive. The domain Administrator account is fine.
Local machine Administrator and the Domain Admin "Administrator" account still have full access to the drive, but any "regular" user who has been added to Domain Admins is denied access.
This happens regardless of whether I created the volume and removed the Everyone permission logged in as the local machine Administrator or whether I perform this logged on as the Domain Admin "Administrator" account.
As mentioned in my previous question, the work around is to disable the "User Account Control: Run all administrators in Admin Approval Mode" policy either locally on the member server or via a domain wide GPO.
Why does removing the Everyone account from D:'s ACL cause this problem for non-built-in users who are granted membership of Domain Admins?
Also why aren't these types of non-built-in Domain Admin users prompted to elevate their permissions rather than just being flat out denied access to the drive?
I have noticed this myself. What happens, is that UAC kicks in because you are using your "local administrators" membership to gain access to the drive, and this is excatly what UAC monitors for.
For file servers, my personal best practice is to never use the "Administrators" group to provide permissions for users.
Try this: Create an AD group called "FileServerAdmins" or whatever, add your user (or domain admin group) to it. Give this group access to the D-drive with the same permissions as the existing Administrators group.
You should notice that even after removing the "Everyone" permission any members of the "FileServerAdmins" group should still have access to the drive, without getting the UAC prompt.
I was a bit shocked myself when I discovered this a while back, it is defenitely a part of UAC that could use some revision...
It appears I'm not alone in encountering this problem. The issue at stake seems to be that non-built-in users who are Domain Admins aren't quite the full shilling when it comes to UAC and seem to be treated "specially":
Windows Server 2008 R2 and the UAC
UAC and Domain Admins permissions issue on Windows 2008 - Part 1
UAC and Domain Admins Permissions Issue or Pocket Full of Kryptonite - Part 2
The key paragraph from the last link explains:
Basically, [non-built-in users who are - (added by me)] Domain Admins, unlike ALL OTHER USERS, are given two tokens. They have the full access token (like everyone else) and a second access token referred to as the filtered access token. This filtered access token has the administrative powers removed. Explorer.exe (ie the root of all) is started with the filtered access token, and thus everything is started with it.
Think of it is as RUNAS in reverse. Rather than being a Domain Admin you are reduced to peon status. It is, in effect, kryptonite.