NTFS Permissions - Access Denied even though Explicit Allow and no Deny
- by chris613
I'm hoping someone can help me with this NTFS permissions problem. The short version is that I can't write a new file in F:\SomeDir even though I seem to be granted full permissions via both the "Domain Admins" group and a second unprivileged group. The "Effective Permissions" tab in the explorer permissions UI shows that I have full control, and there are no "Deny"s anywhere in the ACL or anything else that looks unusual. I am logged into the machine over RDP and accessing the disk directly, not through a share.
F:\SomeDir>set U
USERDNSDOMAIN=THEOFFICE.LOCAL
USERDOMAIN=THEOFFICE
USERNAME=thisisme
USERPROFILE=C:\Users\thisisme
F:\SomeDir>icacls .
. BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
THEOFFICE\Domain Admins:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
F:\SomeDir>net group /domain "Domain Admins"
The request will be processed at a domain controller for domain THEOFFICE.local.
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator thatguy thisisme
The command completed successfully.
F:\SomeDir>echo "whyUNoCreateFile?" > whyUNoCreateFile.txt
Access is denied.
I searched for answers and came across similar problems that lead to UAC (ex. Why does removing the EVERYONE group prevent domain admins from accessing a drive? ). I can't turn off UAC at the moment, so I try a "regular" group that I'm also part of. This group has no special rights assignments and is not part of any administrative groups. Still no dice:
[***** This one command executed in an elevated shell *****]
F:\SomeDir>icacls . /grant THEOFFICE\iteveryone:(OI)(CI)F
processed file: .
Successfully processed 1 files; Failed processing 0 files
F:\SomeDir>net group /domain "iteveryone"
The request will be processed at a domain controller for domain THEOFFICE.local.
Group name ITeveryone
Comment
Members
-------------------------------------------------------------------------------
Administrator thatguy thisisme
otherguy someitguy
The command completed successfully.
F:\ScanningVMsForIBM>echo y > u
Access is denied.
As you can see, using a "regular" group didn't help. I have logged out and back in to the server to ensure my login token is up to date, and at any rate I belonged to these groups before the server was created.
If I grant explicit permission to myself, it does allow me to write files:
[***** This one command executed in an elevated shell *****]
F:\SomeDir>icacls . /grant THEOFFICE\thisisme:(OI)(CI)F
processed file: .
Successfully processed 1 files; Failed processing 0 files
F:\SomeDir>echo y > u
F:\SomeDir>type u
y
My requirement is for the "Domain Admins" group to have Full Control, or if that's not possible without disabling UAC, then a second group will do, but I can't get either to work.
I'm really stumped. Can someone please point out what I could be overlooking?