I have a brand new Active Directory (CORP-AD) installation running on Windows 2008R2. I have a domain controller (PDC01) and a member server (ME01).
The member server has a C: and a D: drive.
Part of our standard build is to remove all permissions from the root of the D: drive except for:
SYSTEM (Full Control) Administrators (Full Control)
I created a new domain user ADMIN01 and granted it membership of the Domain Admins group.
Domain Admins is a member of the member server's local Administrators group.
When I logon (via RDP) to the member server ME01 as the domain user ADMIN01 this user cannot access the D: drive. I then tried adding the Domain Admins group with full control to the root of the D: drive but my ADMIN01 user still cannot access the D: drive:
If I logon to ME01 as a local machine administrator I have no trouble accessing the D: drive at all.
I discovered this question which describes more or less the same problem:
Why can't I browse my D: drive, even if I'm in the Administrators group?
The answer suggests correctly that this is a UAC privilege elevation issue but I'm puzzled by this statement, in particular the bold part:
You can modify this behaviour by Group Policy however bear in mind that the default is set that way intentionally - the specific policy you want to change is "User Account Control: Run all administrators in Admin Approval Mode" - you can find details on how to do this in this MSDN article.
Is this suggesting that "User Account Control: Run all administrators in Admin Approval Mode" should not be disabled?
If it's enabled I don't get a UAC challenge with the "Continue" button + shield icon, I'm just plain refused access to the drive. Is this normal?
The reason, although I don't understand why, seems to be caused by removing the built-in
Everyonegroup from theD:drive permissions.I've followed this up with a new question:
Looks like it's not actually a UAC problem but someone has messed around with the permissions on the drive level.
I would log in as the local admin, then compare the permissions that are set on both the C: and the D: drives, i'll bet that the Domain Admins either where removed, or they have been explicitly denied.
It sounds like someone granted Administrator not Administrators full control.
Did you actually completely log off as user ADMIN01 after you made the group membership changes and added the user to the Domain Admins group?
You mentioned remote desktop a lot, maybe the session for the user was just disconnected, and group membership changes don't take into effect until the user completely logs off and logs back on (with Windows it's also possible to have two sessions open at the same time).
Does the ADMIN01 user have access to other administrative tools that only domain admins normally have access to? That would rule out whether it's a ACL issue on the drive, or a group membership/permission issue.