Hi,I have a Windows 2008 Server SP2, that is a domain member, I have made a domain user a member of the local administrators group.When I logon with this user to test, it doesn't get the rights. I.e. I browse the file system and any folders that require administrator permissions I get access denied if I check on the UAC prompt I can get permission but Read and Execute. It doesn't seem to be picking up that the user is a member of the local adminsAnyone have any ideas how to fix this? ThanksGareth

You can see all effective group memberships in your user token by starting a cmd.exe and run the command "whoami /groups" command. Does it list the local administrator account?

Thanks for reply,The account lists the BUILTIN\Administrators group, is this the local administrators?ThanksGareth

Yes, that is the local administrators group which means that the user is properly included and should be able to access the files and folders that require administrator access. What to the Access ControlEntries look like for the folders you are trying to access and where are the files and folders located?

Administrators Full Control, If I do effective permissions on the folder for the user it returns Full Control also, but when I access the folder I get the UAC prompt saying I don't have access. I can give myself access but it adds my user with read and execute.I must be getting some of the administrator functions as I can do this, and other things like view all the hardware without restrictions, add users to groups etc.ThanksGareth

Hi Gareth, Do you mean that you cannot perform any administrative task with this user account? Please logon the server with the user account, run services.msc and let me know the result. Does the system prompt for consent or for credentials for a valid administrator account? You may refer to the UAC User Experience section at http://technet.microsoft.com/en-us/library/cc507861.aspx. Meanwhile, in order to narrow down the cause of the issue, please temporarily turn off UAC on the Windows Server 2008 computer to see if the issue goes away. Turn User Account Control on or off http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Hi,Yes when I run services.msc as the user I get the UAC Prompt I just continue through I am can also services mmc and stop and start services etc.I have turned UAC off, I will need to schedule in reboot though....Does UAC run down to the file system then?ThanksGareth

Hi, Thanks for your update. The test result indicates that the user account has permission to perform administrative task. Based on the current situation, a possible cause of the issue is that the ACL of the folder is too restricted. With UAC enabled, the administrators full access token is split into two access tokens: standard user token and administrative token, in order to protect the system. The standard token is then used to launch explorer.exe. Therefore, you may encounter some unexpected behaviors when you try to access the file system with the users standard token. You can run the command cacls FolderPath to dump the ACL of the folder and post the output here for further research.This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,How's everything going? I've not heard back from you in a few days and wanted to check the current status of the issue. If you need any further assistance, please do not hesitate to respond back.Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

The same problem is in Windows Vista, 7 and Windows Server 2008 and 2008 R2 (All OS's with UAC)I have set rights to the root of drive D that only the group administratos and System have Full Control.When I am logded on as Administrator I have Full ControlWhen I am logged on as another user (who is also a member of the adrministrators group) I get an Access is deniedYou have to disable UAC to gain access to the folders.In Windows XP (and below) or Server 2003 R2 (and below) you don't have this problem, because UAC does not exist in these OS's.Somehow I am missing the point WHY UAC would block folder access. But I am sure Microsoft has their reasons.Kind regards

Any resolution to this issue? I'm experiencing the same problem. The only solution I have found is disabling UAC by running 'Start' --> 'Run' --> 'msconfig' --> 'Tools' --> 'Change UAC Settings' --> 'Launch' --> 'Never Notify'. This appears to turn off UAC, which seems a little drastic.

This only turns off the notifications when something is changed. Still doesn't allow total administrative access.

It appears with Windows 2008 R2, making a user a member of the Administrators group is not enough. Logon as Administrator Go to Control Panel -> User Accounts, select the user you want to make an administrator, select Account Type and change the radio botton a "Standard User" to "Administrator".

Correction to the previous post, it should read: Logon as Administrator Go to Control Panel -> User Accounts, select Manage another account, select the user you want to make an administrator, select Account Type and change the radio button to "Standard User" to "Administrator" and click Change Account Type button.

We have the same problem at my company. The admins do not have a local account which i could change to account type "Administrator". Every admin has an AD account, which are members of an AD group which is member of the local administrators group, but unable to access folders where the local administrators groups have full access. I need to assign folder permissions to the AD group directly, otherwise they are unable to access the files and folders. Because we have many independent folders which do not inherit their permissions from above this is a real pain. What could we do?

I'm experiencing a very similar issue on Windows Server 2008 Standard SP2. Some folders/files have permissions for a Group I have created and the Administrator group. Everyone including the Default Administrator has access. The only one that doesn't is my created account which has been added to the local administrators group. I can manually edit the Folder/File Permissions to get in there, but it's quite annoying considering the Administrator group is in there, and my account is apart of this group. Any other updates on the issue for everyone else?

Is there a solution to this as we have this problem on a lot of servers ?

Hi, is there a solution to this yet as we have the same problem on a lot of servers and would prefer not to turn off uacGarry IT Project manager

I'm having the same issue. I created a user, added him to the administrator group, but he doesn't have admin rights. Can't create folders, can't run as service, etc. It looks like if I use one of the solutions here, go through control panel and access his user account there and change him to an administrator, that will probably work. Unfortunately, I can't test that right now, since our primary application is running under his login, so I can't change his account type. I'll try this evening to log him off, change his account type and have him log back on in the morning and try to run the app as a service. I'll report back here and let everyone know. Why would a user who is added to the admin group not be an admin? And why is this a feature of control panel instead of computer management?

Well, that didn't do it. My user still can't do things. Is anyone at Microsoft still monitoring this discussion? Why would you have an administrator group that doesn't have administrator privileges?

First off, Windows Explorer cannot be run elevated, which will result in any user member of the administrators group not be seen by Windows Explorer as an adminisrtrator, that is the effect of UAC acting and is by design. I've witten some words about a few of the problems this produce at http://www.theexperienceblog.com/2010/09/18/case-of-the-mysterious-issues-in-windows-7-and-windows-server-2008-r2/ Blogging about Windows for IT pros at www.theexperienceblog.com

So then the "fix" is to disable UAC, so that anyone who is a member of the adminstrator group actually gets the privileges we anticipate he/she should get? I can do that. It just seems to defeat the purpose of both the Administrator group AND the UAC.

The only solution I see is to disable UAC. You can install various antivirus programs that give you UAC like capabilities without interfering with User Permissions. FortiClient with enable startup list monitoring is one such program.

What are the options here (disable AUC)? We are seeing the same type of issue with our windows 2008 r2. Why would Microsoft not give the option "Run as" in windows explorer - will this be in any service packs or perhaps a hotfix?

A similar problem applies to printers - couldn't work out why adding a domain user account to the local administrators group would not allow the user to add a local printer as per the local administrator account. Same solution, so thank you.