Server 2012 R2 NTFS permissions issue
I have a 2012R2 File server and I setup a new

share using the new 2012 R2 methodology (Server Administrator). I set the

appropriate permissions on it and it looks normal. Domain users have

read-only and Domain Admins (I'm in this group) have Full control.

Within the share, I've created a bunch of folders for departments and

general use. I've disabled inheritance on all of the folders and setup

explicit permissions, leaving the domain users with read-only and domain

admins with full. Everything looks normal.

The Share permissions are wide open and the NTFS permissions limit user


Here is the odd behaviour. When I'm logged on the server as myself

and try to access the folders (after having logged off) it says that I

don't have permissions to view the security or even open the folders

(unless I hit continue and then it assigns me with Full Control) BUT

when I'm logged onto my PC and navigate to the primary share, I

can see everything, go everywhere and view all properties. When I look

at the effective permission from my local PC or the server, it shows

that I have full control.

It's the same for the other Domain Admins as well.

Any advice or direction pointing would be greatly appreciated.

The behaviour appears to be caused by the removal of the local "Users" group. When I add any other group that I'm a member of, I can access the folders on the server and on my PC. Why doesn't the server recognize that I'm a member of Domain Admins??


I want to use Access-Based Enumeration so that users ONLY see the folders that they have permission to. When the local Users group is in the NTFS permissions, users can see all of the folders which I don't want. I understand how to enable it but if the Local Users group is removed from the folder then I lose the ability to manage the folder on the server and if the Local Users group is added then I lose ABE.

May 29th, 2015 2:45pm

I found the answer! Even though I thought I turned off UAC by moving the slider bar to the bottom there was still 1 local policy Enabled. Using GPEDIT.MSC, I inspected 3 policies:

* User Account Control: Admin Approval Mode for the Built-in Administrator account

* User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode

* User Account Control: Run all administrators in Admin Approval Mode

In the order above, they should be:

* Disabled

* Elevate without prompting

* Disabled -> This one was set to Enabled. I disabled it, rebooted and now I can access the folders directly on the server as I would expect.

Thanks for reading. I hope this helps someone.

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 3:46pm

Hi Sukoto,

Thanks for sharing the solution =)

June 1st, 2015 3:12am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics