We have a selection of top level folders:
E:\Data1
E:\Data2
E:\Data3
The permissions are simple - the default CREATOR OWNER
, SYSTEM Full Control
, some security groups allowing Modify and the LOCAL SERVER\Administrator group Full Control
. There are no DENY, only ALLOW permissions.
I have a user account that is a member of the local Administrator group mentioned above. However, when I access the folder, the UAC prompt appears and says it needs to add permissions before I can access the folder. An explicit entry is added for this user account and now I can access the folder.
But why? I am a member of a group that has full control, why is it prompting? The folder is set not to inherit permissions from the parent folder so there aren't any weird permissions inheriting from parents folder.
UAC aims to improve the security of Microsoft Windows by limiting application software to standard user privileges. *
That means, even though the user account is in the admin group, explorer.exe runs only with standard user privileges. And as a standard user, you are not allows to access those folders.
But, when you try access those folders, Windows recognizes, that your user account is a member of the admin group. It asks you (via the UAC prompt) if you would like to use the powers of the sysadmin (via admin group membership) to add your user account to the ACL.
This way, explorer.exe never gains standard user privileges, which improves security of Microsoft Windows.
* http://en.wikipedia.org/wiki/User_Account_Control
This is because with UAC enabled by default you access the folders in a context that does not have admin rights, despite you being a member of the admin group. An alternative would be to run explorer as administrator.
This is somewhat explained here: http://think-like-a-computer.com/2011/05/11/windows-access-denied-folder-administrator/
"When you log in as an administrator normally you would have full unrestricted access to everything. UAC aims to prevent this by running all tasks that don’t require administrator access in a more restrictive manner. When UAC is enabled an administrator as two access tokens; a standard user token (restricted) and an administrator token (unrestricted). All tasks first run under the restricted user token. Only when a specific program or tasks requires full administrative rights does it then prompt you to run it in an elevated mode. It then launches this task using the administrator token."
What I do is I create a non-administrator level group called something like "file server admins". Then I give this group full access to the folder location. I then add the appropriate users that need that access to that group. Since that group is part of the user's non-elevated token, the access is granted that way.
Mark's link under "How Do We Prevent Access Denied On the Folder?" in the first paragraph explains it - just ignore the suggestion at that link to disable UAC :D