I am not sure if this is normal or not, however it seems network shares on our domain are given full access to users that are admins on their local machine if the server\Administrators security permissions is set.
Is this standard? It poses a fair few issues for setting up permissions as my predecessor has set all sorts of local privileges on computers throughout the domain. Unfortunately I can't change this with GP at this stage as I am unsure of the ramifications to our users by forcing this.
Obviously I can just remove the server\administrator security group from all shared folders but this would be a massive task.
Has anyone come across this issue before? The only reason I picked up on it was I was setting up a DFS and one of my users had full access no matter what permissions I set (Unless I removed the changed the server\administrator permissions to domain\domainadmin)
It probably sounds like the users are added to the administrator security group in ADUC.