User in Administrators group has not the same rights as Administrator (Win 2012 R2)

I have created a user admin and putted this user in the Administrators Groups (local, there is no AD). But This admin user has not the same rights as the Administrator user itself.

Example 1: a file is owned by SYSTEM and the Administrators Group has full control. If I try to add permissions for a user to this file, it doesn't work for the admin user. With the Administrator is works without any problem.

Example 2: IE Enhanced Security Configuration is set OFF for Administrators, ON for Users. For the Administrator this is OK, for the admin user it is still on.

Is this a configuration problem? If so, what do I need to do to make it right?


Solution 1:

This could be caused by User Account Control, a feature (hated by many) which makes so that, even if you have administrative rights, you don't actually have them unless you explicitly request them. There are two distinct policies governing UAC behaviour (both found in Computer settings\Windows settings\Security settings\Local policies\Security options), one for the built-in Administrator account, and another one for all other administrative users:

  • User Account Control: Admin Approval Mode for the built-in Administrator account (disabled by default)
  • User Account Control: Run all administrators in Admin Approval Mode (enabled by default)

What this means is: by default, the built-in Administrator account is not affected by UAC, while all other administrative users are; thus, it's possible for an administrative user (different from the built-it Administrator) to not actually have administrative rights, even if it's a member of the Administrators group.

More info here.

Solution 2:

I had a similar situation and fixed it following the steps of http://clintboessen.blogspot.com/2013/05/you-dont-currently-have-permission-to.html (which are for a different situation). This is what I had and what I did:

  1. Two computers, no Active Directory Domain, one with Win 8.1 (name W81 for example), other with Server 2012 (name w12 for example)
  2. Two local users on w12: [UserA] with PasswordA and [UserB] with PasswordB. Both belong to the [Administrators] local group.
  3. Two local users on w81: [UserA] and [UserB] with se same PasswordA and PasswordB as the corresponding users of w12. Both belong to the [Administrators] local group.
  4. I share a folder on w12: a. Share name: Temp1$ b. Share permissions: [Everyone], Full Control c. NTFS permissions: [Administrators], Full Control. No other Group has NTFS permissions here
  5. Logged in on the W12 as [UserA], I try accessing the share using UNC \w12\Temp1$ . I get an error saying I have no access. The share is found. Just no access.
  6. Logged in on the W81 as [UserB], I try accessing the share using UNC \w12\Temp1$ . I get the same error. RESTARING w12 DOESN'T HELP.
  7. If I add [UserA] and [UserB] explicitly to the NTFS permissions, they now have access to the share using steps 5 and 6.
  8. I Ran GPEdit.msc on w12, went to:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options

and used the settings for #1 and #3 recommendations:

#1, User Account Control: Admin Approval Mode for the Built-in Administrator account : Disabled. #3, User Account Control: Run all administrators in Admin Approval Mode : Disabled.

And left #2 untouched: #2, User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode : Prompt for consent for non-Windows binaries

  1. Restarted the machine and the situation didn't happen again.