Getting Access Denied Using Admin Acount

[EvanTing]

Hi guys.

I am new to the forum and would like to have assistance on one of the issue which have my head scratched for days.

I have two Windows 2008 x64 R2 servers. One was placed at OU, lets say A. Another node located at OU B.

I have the domain users group added to the local Administrator group and was given FULL CONTROL on both servers.

Server A does not apply the GPO on the ACL for D drive (.\Users group is within the ACL) hence, the domain users (With Admin access) does not facing any issue access to D drive.

However for server B, the GPO applied and it will remove .\users group. The domain users are not allowed to access D drive, it will throw "Access Denied" error.

My understanding is, the domain users already granted with admin access, why they are still unable to access to the D drive?
Another concern, what is the functionality of the .\users group on the ACL? I noticed once i have added this group to the ACL, the domain users will not have issue accessing the D drive on server B.

Appreciate if someone can assist on this matter, thanks.

 

[ICTCity]

Remember: the most restrictive is applied!

You should grant the full control at the SHARING level, then, with NTFS permissions, you can set up things properly.

I can be member of domain admins, but I can have no access on a particular folder...

The group USERS has 1 member (by default) > AUTHENTICATED USERS which are all the users logged in in some way.

Look: http://ss64.com/nt/syntax-security_groups.html

 

[EvanTing]

Remember: the most restrictive is applied! You should grant the full control at the SHARING level, then, with NTFS permissions, you can set up things properly. I can be member of domain admins, but I can have no access on a particular folder... The group USERS has 1 member (by default) > AUTHENTICATED USERS which are all the users logged in in some way. Look: http://ss64.com/nt/syntax-security_groups.html

Hi,
Thanks for the reply.
Please advise if my explanation is correct:

Users group:
A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

In my case, since the GPO has removed the Users group from the ACL, hence the domain users are not able to access to the D drive.

And there is another concern,
Windows 2003 servers which located within the same OU with the problematic server, did not have this issue, i believe is because of the UAC.

In W2k3 there is no UAC removing admin group membership from the access token, so the permissions for admin are used there.

Please advise if this is correct, thanks!

 

[ICTCity]

Yes, you're right.

If you want to be sure that your policies are applied correctly, please run RESULTANT GROUP POLICY (under GROUP POLICY MANAGEMENT).

 

[EvanTing]

I just found one more thing:
User Account Control: Admin Approval Mode for the Built-in Administrator account has been disabled.
In this case, The administrator always runs with a full access token.

So the Access token should be not an issue on this node, this again cant explain the difference with Windows 2k3 and W2k8.

 

[ICTCity]

I'm a bit lost... what is your question now?

 

[EvanTing]

I'm a bit lost... what is your question now?

Ok. Lets make it this way. From the link here: http://ss64.com/nt/syntax-security_groups.html
It stated that by default the Domain user group was added to the Users group. This explains why for Windows 2008, without the users group, my domain user group unable to access to D drive.
However, I found that for Windows 2003 server, the same ACL set to D drive but why domain user can access to D drive? (Without the Users group). I am curious here, erm..

 

[ICTCity]

Ok, actually I think the point is for security purpose. I'm going to investigate further but I'm pretty sure the reason is security.

 

[EvanTing]

I'd studied this article:-

When a user who is a member of the Administrators group in Windows XP or Windows Server 2003 logs on to a computer, that user's token contains the Administrators group SID, and the user has the same permission as the Administrators group. In Windows Server 2008 and Windows Vista, if UAC is enabled, the Administrators SID is still present in the token but is set to Deny only. When performing access control, such an entry in the token is used only to deny accessin other words, to match Deny ACEs. Any Allow ACEs for that SID are ignored. That means that you are not truly an administrator all the time, even if you log on to the computer as one.

Source: http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspx

By default, domain users added to the Users group once a server join domain. If lets say now i have added the domain users group to local admin group, will the rights over written by this group, and even if the Users group removed, this will not be impacted?

Kindly advise, thanks!

 

[ICTCity]

I think so, well, in theory the most restrictive count... so I assume you're right, but I will ask in the next few days.