Your post does not show which application is attempting to modify the object. Under normal conditions, an application can ask for UAC permissions and may elevate itself to have elevated privileges. I will assume the application is running with Standard User Rights:
Standard User Rights - For example, when Explorer is opened the standard Windows user token (to simplify this topic, let's call the token 'token Standard') is invoked. Any application that runs and requires elevation via UAC may be unable to perform under Administrators permissions.
Administrator Rights (elevated) - If you were to select 'Run As Administrator' to open Explorer or the application involved accessing the object, then the user credentials run under the other token (let's call that 'token Admin'). In this case, any application that runs and requires elevation via UAC will be able to rely on the Administrators Permissions, which in your case are Allow=FULL.
I have discovered these 2 conditions when assigning network shares, or mapped drive letters, or using the SUBST command to substitute a drive letter for a network or local path. The program I open to do any of these assignments will create the assignment under either 'token Standard' or 'token Admin'. If under token Admin', then the Standard user may not see the mapped drive letters.