NTFS - Domain Admins don't have permissions despite being part of the Local Administrators group
Solution 1:
Right, UAC is triggered when a program requests administrator privileges. Such as Explorer, requesting administrator privileges, because that's what the NTFS ACLs on those files and folders require.
You have four options I'm aware of.
-
Disable UAC on your servers.
- I do this anyway (in the general case), and would argue that if you need UAC on a server, you're probably doing it wrong, because in general, only administrators should log onto servers, and they should know what they're doing.
- I do this anyway (in the general case), and would argue that if you need UAC on a server, you're probably doing it wrong, because in general, only administrators should log onto servers, and they should know what they're doing.
-
Manage the permissions from an elevated interface
- Elevated
cmd
window,PS
window or Explorer instance all work for avoiding the UAC popup. (Run As Administrator
)
- Elevated
-
Manage the NTFS permissions remotely
- Connect over UNC from a machine that doesn't have UAC turned on.
- Connect over UNC from a machine that doesn't have UAC turned on.
-
Create an additional non-administrative group that has full access in the NTFS ACLs to all the files and folders you want to manipulate, and assign your admins to it.
- The UAC popup won't (shouldn't) be triggered, because Explorer will no longer require Administrative privileges, as access to the files is granted through another, non-administrative group.
Solution 2:
Set both these policies for members of local Administrator group to be able to change files and connect to admin shares:
A reboot will be required after making these changes.
Solution 3:
The best way is to change the registry key at
registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system; key = EnableLUA
Make sure it is set to Value 0 to disable it. You need to reboot to make it take effect. Interface might show it as disabled while registry is enabled.