I'll try to provide a simple example of something I find perplexing:

1. Folder_1 has access rights which include full access to the Administrators group.
2. I'm logged in as User_A which is a member of the Administrators group.
3. When I try to open Folder_1, I get the message, "You don't currently have permission to access this folder. Click Continue to permanently get access to this folder."
4. If I click Continue, User_A is added to Folder_1's permissions list with full rights.

So, first of all, why am I not simply allowed to access the folder in step 3?

Secondly, doesn't adding explicit permissions for User_A in step 4 override the benefit of using security groups rather than individual user accounts when assigning file system rights?

Amongst other problems, if I remove User_A from the Administrators group, the user will still have access to this folder!

Someone please explain the logic here, or what the right way to assign these rights would be.

 

 

Hello Oscar!

It seems like you need to turned off the UAC and then reboot. Must be work as you (and everybody) expect it would be. =)

Regards,

Hi,

 

This message "You don't currently have permission to access this folder. Click Continue to permanently get access to this folder" is usually casued by the UAC feature. UAC does this by asking you for permission or an administrator‌ password before performing actions that could potentially affect your computer's operation or change settings that affect other users.

 

To ensure the problem is caused by UAC, you can temporarily disable UAC and test if users in Administrators group can access Folder_1 without the message. For security purpose, please enable it after test.

 

For more information about UAC, please refer to:

 

User Account Control Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx

 

Hope it helps.

 

Regards,

Bruce

• Marked as answer by Bruce-Liu Wednesday, September 07, 2011 7:48 AM

I haven't had a chance to try it yet, but assuming this is a "by design" feature of UAC, what's the logic behind it?  Do you see how it invalidates the use of administrative groups?

 

Did you ever get any clarification on this?  We've been running 2008 R2 for a while now and haven't noticed this 'feature' until recently.  I agree it doesn't make any sense, if you already implicitly have access via a security group why would you want to explicitly grant permissions via an ACL associated with a user account??