Admin cannot access file or folder on server but CAN access via share
I keep hating this "security feature" that is part of UAC but does not secure anything, but it does limit me managing a server.
Whenever I need to access a folder for which I have been granted permissions via the administrator group I cannot do what is needed until I add my current login account to the users the have personally access to that folder. I can also create another local group called RealAdmins, I put the same users in that are part of the local Administrators group and give the group RealAdmins Full access on the file system. I see that as a workaround as there simply is no security boundary that forces me to do this. I can simply go to \\server\C$\Directory and I DO have access to that special directory to which the Administrators group has access from ANY other system that can reach the server over the network, which is a lot LESS secure as to who can log on the server itself.
I was told that if I set the UAC to the lowest level, Never Notify, the problem would not exist, but it still does. By completely disabling the UAC via the registry I CAN access the speciefied folder where Admins have access. Please remove the ridiculous limit that slows me down performing maintenance on a server where I am part of de local Admins. It is a useless limit.
Karl Wester-Ebbinghaus (@tweet_alqamar) commented
your approach is correct. The limitation is that Explorer does not run and cannot run elevated for security reasons as Explorer and Windows Shell are deeply web into each other.
Leave UAC enabled, Add a new AD security group to the Share (remove everyone) and NTFS. Make the user that you need to access via Explorer part of this group.
Reason: same as the behaviour of GPOs where you have to add Authenticated users "read" (something you do not want on fileservers) to make it possible to enumerate group members in GPO in security filtering this is a similar limitation here with explorer.
second: do not administer fileservers locally. User Server Core to prevent this. Everything can be done remotely via Windows Admin Center, Server Manager and Explorer. Promised.