Troubleshooting: Domain Admin Group Member Denied Access Despite NTFS/Share Permissions on Windows Server


3 views

I recently encountered a perplexing permission scenario where a Domain Admin group member couldn't access a folder that explicitly granted full control to the group. Here's the complete technical breakdown:

# Permission summary (ICACLS output equivalent)
Folder: D:\RedirectedFolders
DOMAIN\Domain Admins:(OI)(CI)(F)
FILESERVER\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(W,Rc,X,RA)

The access pattern revealed these symptoms:

  • Local console access denied (non-elevated session)
  • Network access from other machines working normally
  • Elevated sessions (Run as Administrator) working
  • UAC completely disabled via GPO (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options)

Windows Server implements Admin Approval Mode even when UAC appears disabled. The critical registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000001

This causes all administrative accounts (including Domain Admins) to receive filtered access tokens for security purposes.

Option 1: Disable UAC completely (not recommended for production)

# PowerShell command
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name "EnableLUA" -Value 0

Option 2: Add explicit permissions for the admin's account (bypasses token filtering)

# Command prompt
icacls "D:\RedirectedFolders" /grant "DOMAIN\john.doe:(OI)(CI)(F)"

Option 3: Configure Folder Redirection to use a different access pattern

# Group Policy setting example
User Configuration > Policies > Windows Settings > Folder Redirection
Set "Grant user exclusive rights" to Disabled

This PowerShell snippet helps diagnose the actual effective permissions:

function Test-EffectiveAccess {
    param(
        [string]$Path,
        [string]$User
    )
    
    $identity = [System.Security.Principal.NTAccount]$User
    $acl = Get-Acl $Path
    
    $accessRules = $acl.Access | Where-Object {
        $_.IdentityReference -eq $identity
    }
    
    $accessRules | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited -AutoSize
}

Test-EffectiveAccess -Path "D:\RedirectedFolders" -User "DOMAIN\john.doe"

The Windows security model makes a distinction between:

  • Administrative privileges (what you are)
  • Access rights (what you have)

Always test permissions both locally and remotely when troubleshooting access issues.

Here's what's happening under the hood when a Domain Admin gets denied access to a folder they technically have permissions to:

// Permission check flow analysis
1. User (DOMAIN\john.doe) -> Member of DOMAIN\Domain Admins
2. Folder ACL:
   - DOMAIN\Domain Admins: Allow Full Control (Inherited)
   - Authenticated Users: Limited Create/Write (Top Level Only)
3. Access attempt fails with ERROR_ACCESS_DENIED (0x5)

Even with UAC "disabled" via Group Policy (EnableLUA=0), Windows Server 2008 R2 still maintains security boundaries. What we're seeing is the Admin Approval Mode behavior stripping the Domain Admin's token when accessing local resources.

  • Direct console login: Filtered token (no admin privileges)
  • Network access: Full token (admin privileges intact)
  • Elevated prompt: Full token (explicit admin context)

If you absolutely must bypass this for testing (not production!), set this registry value:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

For production systems, implement service accounts with explicit permissions:

# PowerShell: Create and configure service account
$ServiceAccount = New-ADUser -Name "FS_Admin" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members $ServiceAccount

# Set explicit permissions (non-inherited)
$ACL = Get-Acl "C:\FolderRedirection"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\FS_Admin","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$ACL.AddAccessRule($AccessRule)
Set-Acl -Path "C:\FolderRedirection" -AclObject $ACL

When standard fixes fail, use these diagnostic tools:

  1. Process Monitor (ProcMon) filtering for ACCESS DENIED results
  2. Token analysis with whoami /all in elevated vs non-elevated prompts
  3. Effective permissions check through Security tab → Advanced → Effective Access
  • Windows 2008 R2's UAC implementation differs from later versions
  • Local vs remote access contexts create permission evaluation differences
  • Service accounts with explicit permissions are more reliable than group membership
  • Always verify effective permissions rather than assuming group membership grants access