This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Hi,
We have a server hosting an app, which runs as a domain account with run as service permissions.
The app relies on shares hosted on this same server, and dumps output of a task to those shares.
On the shares, we have a domain security group added with modify permissions, and domain admins with full control.
If I access the share from a remote machine using my domain admin account, I can access the share.
If I browse the folder the share points to, locally on that app server using my domain admin account, I can access the folder in its entirety.
However, if I try to browse the share locally on that app server, using my domain admin account, I am unable to load the share:
Can anyone think of any reason I would not be able to access the share from the server, and can only access it from a remote machine?
If I add EVERYONE with modify permissions to the share permissions, it works fine locally.
We don't really want to have EVERYONE on the share permissions, but without it, the app seems to be unable to dump files to the share locally, likely because it too is having issues accessing the share locally like I am.
Many thanks
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 79%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
This is due to UAC. Even though your logged on as an admin, nearly everything you do is done with a standard user token.
Domain Admins is a special group.
You can probably resolve this by creating another security group and giving that group access to the share\folders, and then adding the accounts into the group (which I though was best practice for share\folder permissions).
You can also try running Explorer "as an admin" before trying to access the share.
I've done a test, and you seem to be right;
If I add myself to the other security group on the share, then log onto the server and access the share it works.
What confuses me, is if I log on as a domain admin, surely that security group membership is added to my security token at login?
If it is, does it not evaluate that particular group membership when browsing shares or folders like it does for other security groups?
The laptop I was testing from remotely doesn't have UAC enabled, so if it did, would I have expected the same behaviour when browsing remotely as well?
Cheers
James
Not 100% sure why myself. I've just seen it before and remembered it.
I think its related to the domain admins group. It's not a standard security group.
I suspect its a combination of the above. Running the task from the same server and using domain admins.
It must be something to do with accessing the shares locally from the server on which they are hosted, and how the security tokens/group memberships are evaluated, as testing from a remote machine with UAC enabled is fine.
The only instance it doesn't work is when accessing the shares locally.
Perhaps anyone else coming across this post may be able to clarify how the tokens/membership is evaluated in this scenario.
Many thanks
James
