I have a Windows 2008R2 server and am logged in as a Domain Administrator and I am getting a "Access Denied" message when I try and save a file in a directory. The Directory is just an Application folder on the D: drive. I ran "Effective Permissions" for my User and it says that I have "Full". There are no Shares involved - I am directly logged on to the server. I am just using Notepad to create a file and store it in the directory but I get the same results if I open an existing file, make a change and try and save it. I tried lauching Notepad, with the Run as Administrator and then I can save in the Directory. What am I missing? Thanks.Roger

So, as I see you need an elevated prompt to access the folder. I think that the folder is used by an application and it is for that it requires the use of run as an administrator so that you will avoid accidental changes. I think that if you stop you application, you will be able to do what you want on the folder without having to use an evevated prompt. Also, if you disable UAC, you will not require to use run as an administrator but it is not recommanded for security reasons. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Hi. I would suggest you create another group that has write access to that folder and joining yourself and perhaps your entire group. I think this is what you are running in to, and just opening a text file isn't an administrative task: When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks (standard user applications). http://technet.microsoft.com/en-us/library/dd446675%28WS.10%29.aspxOscar Virot

Actually the application that I am using is just Notepad, so the application does not require Run as administratrator. For a variety of reasons, I would prefer not not disable UAC. I did a little more experimenting and found that the problem seems to be related to the fact that I was getting access by being in the administrators group. Basically, I did was Oscar suggests below. When I put the user on the access list explicity all worked fine. With the User on the access list, you didn't have to do a "Run As" even though the user was in the Administrators group. This also leads me to believe that the problem is not in UAC. My question is why? I understand the two access tokens but when I put the user on the access list explicitly, I still have the two access tokens. Why does access a file require me to use my administrator access token unless I am on the Access list explicity? Something just doesn't make sense to me. RogerRoger

Hi. The UAC has two tokens, one with all.. and the regular one you use, which has removed the administrators group.. When you browse with explorer you use your regular one, you don't have your administrators group. So then you have the same level off access as if you didnt have the administrators group at all. That's why you need to disable UAC or have a "fileserver group" I hope this is understandable.Oscar Virot

The fact is that explorer.exe is NOT uac-ready. Because of that, I always disable UAC. Otherwise, it's quite easy to damage permissions on folders, UAC does modify permissions instead of running exlplorer with elevated SID. My suggestion is to always logon with limited user account, only logon as administrator when needed and certainly disable UAC.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Thanks. The combination of answers makes sense and it appears to match the actual way it works. Roger