This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 33%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all,
Used to log on to our DC as domain\administrator but with more than one IT person now, wanted each admin to use their own admin-level account.
When using new admin account this morning, noticed that I could not change a .ini file in a program folder. It said I did not have enough rights.
I checked that:
so the new account should get inherited permissions first from Domain Admins and then from the domain's Administrators group (nested) - but obviously it doesn't.
Is there something funky on a DC where the rights do not show up correctly via inheritance?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Could be a UAC thing, might also try to run as administrator
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 97%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Didn't seem to help. It seems like a folders permission thing.
whoami /groups
may provide something useful.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Although the tools mentioned here help to show what groups the user is in, so far it does not answer my question.
Let me backup and say that this is on a domain controller - I wonder if it does something funky with how it expands groups etc. I know that DC's do not have local groups.
If I used the effective permissions tool from the folder properties dialog, it shows that my account, let's call it "MyAdmin", has rights to this folder.
But I cannot create a file in this folder or change an existing config.ini file
Here is what I see in AD UAC for this account:
so "MyAdmins" is not directly part of mydomain\Administrators but is indirectly a member via mydomain\Domain Admins
Two questions:
Thanks.
Another option is from this dialog select the user account and view the effective permissions
--please don't forget to upvote and Accept as answer if the reply is helpful--
A couple of additional things to try:
If any of these options work the issue is probably due to UAC, as you can't start explorer with run as administrator, and will always have the administrator rights removed.
You can review the settings with secpol.msc
Gary.
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Have a look at this tool which allows you see the permissions that have been assigned and then use the Trust Mode against the new admin account and the existing admin account to see if they have different permissions.
https://nettools.net/acl-viewer/
Gary.
Thanks. downloaded and it's a nice graphical layout. Could not figure out though if it gave the ability to see the effective permissions for an AD account. I thought maybe the "trustee" button might have done that. If it is supposed to do that, could you give me a brief step by step on how to use it to get effective permissions? thanks.