Hi, Got a strange one here - relating to permissions on two of our storage servers - here goes. We set up some new administrator accounts last week, making them members of the "DOMAIN\Domain Admins" group. When attempting to access a couple of locations on the servers, they are not granted permissions - for this example "SERVER01 - Local = D:\Redirection - Shared = "\\SERVER01\redirection" "SERVER02 - Local = D:\SharedArea - Shared = "\\SERVER02\sharedarea" D:\Redirection on SERVER01 has permissions for "DOMAIN\Domain Admins" set to Full Permission - This folder, subfolders and files. The new administrator accounts cannot access these folders without it stating "You do not currently have permission to access this folder. Click continue to get access to this folder." D:\SharedArea on SERVER02 has permissions for "DOMAIN\Domain Admins" set to Full Permission - This folder, subfolders and files. The new administrator accounts cannot access these folders without it stating "You do not currently have permission to access this folder. Click continue to get access to this folder." If I log onto SERVER02, and browse to \\SERVER01\redirection - i can access the folder without issue. If I log onto SERVER01, and browse to \\SERVER02\SharedArea - i can access this folder withotu issue. If I log into the old "DOMAIN\Administrator" account, i have no issues browsing these shares from the server, or remotely. If I explicitly add "DOMAIN\NewAdministrator", there is no issue browsing the share from the server, or remotely - however the purpose of having groups is for this very reason. Any advice / recommendations would be great - this is getting frustrating and I don't want to be changing permissions on our entire redirection share until i have a solid solution (the shared area I can easily play with). Cheers. Many thanks, Simon Roberts

Hi Simon, This behaviour is by design and is linked in with how the UAC strips out well-defined administrative tokens when the user logs on locally. As you've already pointed out, the Administrator account - which itself is a well-defined SID, remains unaffected. That being said, there's a remarkably simple solution to this and that is to use a shadow group: Create either a local group on the affected file servers or just a domain global group - either approach is fineAdd the Domain Admins group to this newly created groupEdit the folder permissions, double-click on the existing Domain Admins ACE and change the group over to the new group you just createdLog off and back on again, and you won't have the elevated access prompt bothering you The "elegant" part of this solution is that you do not have to maintain membership of this new group manually, as it's still related to the group expansion process of the original Domain Admins. Cheers, Lain

Lain, Many thanks for this, I will give this a go this afternoon. Does this same design affect the "SERVER01\Administrators" group? I attempted to add the accounts to the local administrators group and had the same problem (SERVER01\Administrators has Full permissions on the folder). SimonMany thanks, Simon Roberts

Yes Simon, it certainly does. Both the local Administrators and Domain Admins are subject to the same treatment by the UAC at the token level when a user with either membership (or both) logs on. Cheers, Lain

Lain, I replaced all of the "DOMAIN\Domain Admins" groups on our file shares yesterday and tested them all with the new administrator accounts - everything is now working as it should. Cheers!Many thanks, Simon Roberts

So... what is the point of having a domain with all of these credentials if I jsut have to enter accounts on the file server? Really? What is the point of a domain?