So, recently we had the need to add a member of staff as a domain/server administrator on our new Server 2016 domain*. After doing that, despite him being in the administrators group and that group having full control, when accessing the data drive he got Access Denied to data drive for an Administrator.
* I know, I know, “don’t give end users admin rights under any circumstances”. But it turns out as we’re only IT, that’s not our decision.
So, this makes very little sense, the new admin account is a copy of the default administrator account, therefore a member of all the same groups – but when trying to access our data drive “Access Denied”.
When viewing the security tab on this drive, we were given the following error:
However, clicking continue then shows the current security as administrators having full control and ownership. “Great”, we thought, that seems to have sorted it. No such luck – we still couldn’t access D:.
After some digging around, we found the following policy in GPEdit (local group policy editor on the server). “User Account Control: Run all administrators in Admin Approval Mode” (found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options)
The fix is simple. Set this to disabled in GPEdit on your server, give it a restart when possible, and you’re fixed!
Please be aware – this policy is enabled as default for security purposes and should not be disabled without considering the possible consequences. We decided that in our circumstances the pros outweighed the possible cons and made everyone aware of the changes we’d made. My suggestion is to read up on this and other similar policies before making the change.