In Windows environments, we often encounter a puzzling scenario where Domain Admins suddenly lose access to drives after removing the Everyone group from ACLs. Let's dissect this behavior through a concrete example:
// Sample PowerShell to check effective permissions Get-Acl D:\ | Format-List
The core issue manifests when:
- A member server joins an AD domain
- NTFS permissions include Everyone (basic read) and Administrators (full control)
- Domain Admin members (non-built-in accounts) get access denied after Everyone removal
The root cause lies in User Account Control (UAC) and token filtering. When UAC is enabled (default setting), non-built-in admin accounts receive a filtered administrator token without the "Everyone" SID during interactive logon.
// C# code to check process token groups
using System.Security.Principal;
WindowsIdentity identity = WindowsIdentity.GetCurrent();
foreach (IdentityReference group in identity.Groups)
{
Console.WriteLine(group.Value);
}
Key observations:
- Built-in Administrator (RID 500) bypasses UAC token filtering
- Regular users in Domain Admins get filtered tokens
- NTFS requires explicit permission when Everyone is removed
Option 1: Disable UAC filtering (not recommended for security)
# Group Policy path: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options "User Account Control: Run all administrators in Admin Approval Mode" → Disabled
Option 2: Proper permission structure (recommended)
# PowerShell to add Domain Admins explicitly
$acl = Get-Acl D:\
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"DOMAIN\Domain Admins",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path D:\ -AclObject $acl
The access denial occurs at the filesystem level before UAC elevation can intervene. The system doesn't know you might have admin rights - it only sees the missing permissions in your current token.
Best practice dictates always explicitly granting permissions to security groups rather than relying on implicit membership through Everyone or other broad permissions.
In Windows Server environments, we often encounter a puzzling scenario where domain administrators suddenly lose access to drives after removing the "Everyone" permission. Here's what's happening under the hood:
// Sample PowerShell to reproduce the issue
$drivePath = "D:\"
$acl = Get-Acl $drivePath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.RemoveAccessRule($rule)
Set-Acl -Path $drivePath -AclObject $acl
User Account Control (UAC) creates two security tokens for admin accounts:
- A filtered standard user token (used by default)
- A full administrator token (used after elevation)
When UAC is enabled (the default configuration), domain admins access resources through their filtered token, which doesn't automatically include the Administrator group. The "Everyone" permission acts as a fallback that allows this filtered token to access the drive.
Windows evaluates access through a process called token filtering:
// C# snippet showing token filtering logic
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
bool isAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);
bool isDomainAdmin = principal.IsInRole("DOMAIN\Domain Admins");
// With UAC enabled, even Domain Admins get filtered tokens
Console.WriteLine($"Is Admin: {isAdmin}, Is Domain Admin: {isDomainAdmin}");
Option 1: Add explicit permissions for Domain Admins
icacls D:\ /grant "DOMAIN\Domain Admins:(OI)(CI)F"
Option 2: Disable UAC filtering (not recommended)
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0
Option 3: Use the built-in Administrator account when managing permissions
The access denial occurs at the filesystem level before UAC elevation can be triggered. Windows doesn't show elevation prompts for simple file operations - it only prompts when executing applications with elevated privileges.
Instead of removing the "Everyone" permission:
- Keep minimal "Everyone" permissions (Read & Execute)
- Add explicit permissions for Domain Admins
- Set more restrictive permissions on sensitive subfolders
// Recommended permission structure icacls D:\ /inheritance:r icacls D:\ /grant "Everyone:(RX)" icacls D:\ /grant "DOMAIN\Domain Admins:(OI)(CI)(F)" icacls D:\ /grant "BUILTIN\Administrators:(OI)(CI)(F)"