I have a 2008 server, and have UAC enabled. I would like to have a drive (E:) that only members of the adminsitrators group have access to, that non-adminsitrators definitely would not have access to. In Windows 2003 without UAC, we had removed all file/directory inheritable permissions from the drive at the e:\ level, except for adminsitrators, and that worked great. However, with 2008 and UAC enabled, it appears the administrator rights are no longer there when browsing, so it breaks. When a member of the administrators group opens up Windows Explorer to view the e: drive, a pop-up says "E:\ is not accessible. Access is denied.". If I grant Users the "List Folder" and "Read Attributes" permissions on e:\ for "This folder only", I can access e:\. However, when a member of the administrators group browses a subfolder of e:\, they get a pop-up saying "You don't currently have permissions to access this folder. Click Continue to get access to this folder.", and either fails or adds just that administrator to the folder's permissions, which creates a permissions mess.I thought about putting all of our administrators in a seperate group, and giving that group administrative rights, and giving that group rights to the e: drive. Is that the recommended way to secure a drive now, or does that defeat the purpose of UAC? I didn't find a published Microsoft security recommendation so I'm looking for suggestions.Thanks!

Hi, This behavior occurs because the explorer.exe is launched with the standard user access token of the administrative account. This means that the administrative permission is not included when you try to access the E drive. For more information about UAC, please refer to the following article: User Account Control Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights.

Thank you for the link.Unfortunately, unless I disable UAC it sounds like I still have the following options:1. Give all users read access to E:. However, this is what I am trying to prevent.2. Give only the Administrators group access to E:. However, if administrators browse there, they will automatically get individual permissions added to the directory which is a security nightmare if they move to a different department later.3. Create a duplicate group for administrators that is not called "Administrators" or "Domain Admins", and add the administrators individually into it also and give it permissions to the drive. If we bypass UAC with #3 it brings up the question of why bothering having UAC enabled on a non-web-browsing server, is there any value? Any thoughts?

I've also ran into this exact same scenario. We do the exact same thing that the OP is describing, however even when you launch explorer.exe by right-clicking and running as administrator, access to the drive is still prevented. I'm guessing that even though explorer is running with elevated rights, there is another layer of security that is being presented with lower level "user" rights. Was a workaround found or did the OP end up using a secondary group to gain access to the admin drive?