The ServerAdministrators group *doesn't* have membership in DA - It's
completely outside of the DA infrastructure, and by that I also mean
that no DA account is part of that group - the ServerAdministrators
group gains local Administrator permissions via GPO assignment on the
Servers OU, and has no particular permissions anywhere else.
I have distinguished between server administrator accounts (in the
form of fname-server) and DA accounts (in the form of fname-admin). I
haven't gone to the point of removing these accounts (both server
admin and DA) from Domain Users, but the only other groups (besides
Domain Users) of which they are members are Domain Admins and Exchange
Administrators (for DA accounts) and ServerAdministrators and
Lync-related groups (for server admins).
So, colleague can access all drives on this box with his server admin
account, but when logged in (via RDP or the console) with his DA
account cannot access the E: drive except via an elevated command
prompt or Explorer prompt. I hadn't noticed this because I don't log
into member servers with my DA account.
Comparison of permissions between E: and F: - A reasonable question:
F: permissions
Administrators: Full Control
System: Full Control
Creator Owner: Special (Full Control - Subfolders and Files Only)
Users: Read and Execute (This folder, Subfolders and Files)
Users: Create Folders / Append Data (This folder and subfolders
Users: Special (Create Files / write data - Subfolders only)
Everyone: Special (This folder only)
- Traverse folder / execute file
- List Folders / read data
- Read Attributes
- Read extended attributes
E: permissions
System: Full Control
Administrators: Full Control
ServerAdministrators: Full Control
As a matter of practice, I strip rights to non-OS volumes for all
accounts other than System and local Administrators. As needed, I add
them back in.
I can see that someone (recently departed) has added lots of
permissions to the F: drive - yuck. I'll bet that stripping out those
extraneous rights will result in the E: drive behaving the same as the
F: drive. I'm OK with that.
And....
Yup - stripping out all of those extraneous permissions on F: makes it
the same as E: - DAs don't have access except through an elevated
process. What's more interesting is that stripping out the explicit
permissions on the root of the drives for ServerAdministrators group
does the same thing - no access to the drive for members of the group
except through an elevated process - even though that group is a
member of the local Administrators group. However, adding explicit
permissions at the root of the drive remedies that, unlike adding
explicit perms for DAs, which I don't find intuitive.
I'll have to read through some more stuff to figure this out. When I
have time, which will probably be the 12th of never.
Kurt
On Tue, May 14, 2013 at 1:35 PM, Steve Kradel <[email protected]> wrote:
> It wouldn't matter if the custom "Server Administrators" group also had
> membership in DA -- only that there is a sufficient non-DA/non-Administrator
> ACE granting access on the resource and the current user has a corresponding
> SID in his Windows token.
>
> IMO the only question is, why are the permissions on E: different? Normally
> the built-in "Users" group and "Authenticated Users" set would have access
> to read+list+execute at least the root on the volume.
>
> --Steve
>
>
> On Tue, May 14, 2013 at 2:30 PM, Kurt Buff <[email protected]> wrote:
>>
>> All,
>>
>> This is mostly of academic interest - I've DTRT, as I explain below...
>>
>> I have a new guy who has an interesting problem that I haven't run into
>> before.
>>
>> Server is 2008 R2. He can log into the console of the machine with his
>> DA credentials, but when he does so, he cannot access one of the
>> drives - unless he uses elevated credentials.
>>
>> There are three drives on this machine: C:, E: and F: - it's only the
>> E: drive that he's having problems with.
>>
>> I've found these two articles, which purport to explain what's
>> happening (it seems to be a UAC issue):
>>
>> http://serverfault.com/questions/75691/why-cant-i-browse-my-d-drive-even-if-im-in-the-administrators-group
>> and
>> http://technet.microsoft.com/en-us/library/cc731677%28WS.10%29.aspx
>>
>> But, if that's the issue, why then can he see the F: drive? The only
>> thing I can think of is that the F: drive is an external SAS array -
>> but the machine has a clean install of 2008R2 that was applied after
>> that hardware was installed, so that doesn't feel right.
>>
>> To rectify the issue, I've created a server administrator account with
>> no DA privileges, and added it to the ServerAdministrators group I
>> created and have propagated through a GPO - so there's no particular
>> issue at the moment, but I'd still like to hear if anyone knows if I'm
>> on the right track, or has solved it in a different fashion.
>>
>> Kurt
>>
>>
>
