Secured drive only available if Windows Explorer is run as an Administrator
UAC is Modifying Your Administrative Permissions
The behavior you're describing is by design. It's the result of your account having its effective membership in the local machine's Administrators
group stripped by User Account Control (UAC):
When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. By default, when a member of the local Administrators group logs on, the administrative Windows privileges are disabled and elevated user rights are removed, resulting in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all applications run as a standard user by default unless a user provides consent or credentials to approve an application to use a full administrative access token. (Source: TechNet)
Here's a visual description of what's going on:
Even though your user account is an effective member of the Local Administrators
group, those permissions aren't present in your access token when you access the drive, resulting in your being denied permissions (or being prompted by UAC to grant your account explicit permissions to access the drive). Conversely, when your user account is granted explicit permissions to the drive you have normal access since only your membership in the Administrators
group is stripped by UAC.
If I log on as the local administrator, everything works fine.
When you logon with the built-in Administrator account, UAC is disabled by default. As a result, the above token filtering process doesn't take place.
...If a domain admin access the drive as a network share, or as an administrative share, everything works fine as well.
UAC has no effect on resources located across the network. It only operates on the local computer. Therefore since these accounts have access to the resources, and UAC isn't filtering that access, they're not prevented from accessing the object.
A Secure Workaround
Since disabling UAC is discouraged for sake of increased security, use this simple workaround:
- Create an domain group, such as
Data Volume Administrators
- Make
Domain Administrators
a member of theData Volume Administrators
group - Grant the
Data Volume Administrators
group NTFS Full Control permissions to the volume.
The net effect is that you'll have full access to the object since UAC won't strip your membership from the Data Volume Administrators
group.