So, this is an annoyance that I have worked around for some time. But as we are fixing our Administrative user access (renaming the admin account and resetting the password to something obnoxious), I am using my DA account far more often, and this (problem below) begins to take up A LOT of time. The issue is this;

   I am a Domain Admin.  The folders all have access granted to the Administrator group.  But when I go to access the folder (Search or navigate or anything) I am blocked with a popup, and told I have to grant my specific user account access before I can continue.  With large file systems, this can take a lot of time.

   What I want is the local administrators (Local admin, DA's, ect.) to be able to transparently access everything they have rights to. 

• Is this the UAC that is causing the problem?
• Can I turn off the popup's and leave the UAC on?
• I need these changes across hundreds of servers, how can I make them (GPO, logon script, reg key, ect..)?

Hey, it the file and printer sharing enabled on the firewalls? Also, did you add the domain admins group to the local administrators group of each machine?

• Proposed as answer by Gramelot Tuesday, September 01, 2015 9:25 PM
• Unproposed as answer by BlankMonkey Wednesday, September 02, 2015 6:32 PM

Hi BlankMonkey,

Thanks for your post.

It may be related to UAC. If Administrators group has Full Control on those folders and you are a member of Administrators group, with UAC enabled, this kind of issue will occur as your account actually running as a standard user while only Admins have permission to access the folder.

https://msdn.microsoft.com/en-us/library/aa826699(v=vs.85).aspx

Could you please add the specific accounts to Security tab with Full Control permission with a test?

And also test if it works: create a new group, add all admin account to the group, with full control about the folder.

Best Regards,

Mary Dong

Thank you, let me see and I will post back.  it is a busy day :(

What??

This has nothing to do with network access, shares, or firewall.

• Could you please add the specific accounts to Security tab with Full Control permission with a test?

This will work.  In fact when I go to access a folder that I am not explicitly on, it will add my user ID to the root privs for the entire structure, that is what takes a lot of time, on big folders.  But after I am explicitly there, then I can do what I need to do.

• And also test if it works: create a new group, add all admin account to the group, with full control about the folder.

This Also works.  It is only if the Local Administrators group is defined, that I get these pop ups and security inheritance changes.  Like being the local administrator has no rights to view, but only to add other rights.  But it does!!  I highly suspect the UAC >:(

Hi BlankMonkey,

This is because all accounts in local Administrators group are working as standard accounts. When an Administrator action need to be performed, a prompt will occurs for permission to promote to admin permission. As only Administartors group has permission on a folder and the account we are using is working like a standard account, we will be denied from accessing.

You may also check the link I post before. And you may also check the thread discussed before.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/fedbb110-556d-4d2f-83bb-fb679c125cc3/windows-server-2012-uac-folder-problem?forum=winserverfiles

Hope it is helpful.

Best Regards,

Mary Dong