Can't change files in sysvol folder when access through UNC from DC

Question

Can't change files in sysvol folder when access through UNC from DC

Arnold MIshaev 216

Hi,

we're facing with weird issue, we can't change\add\create files under SYSVOL folder when we access through UNC from DCs.
but if we access to the SYSVOL folder through UNC from other servers in domain there is no issue to change\add\create files.

we're using domain admin user.

all servers in the domain are Windows server 2019 and we have 2 DC. only one forest,domain and site

so i think it's a default security policy in DCs, but i can't find where it's configured and it's seems to me very strange policy cause i didn't understand why there is need for it.

Does anyone know where it's configured and why?

rr-4098 2,051 Reputation points

2022-05-21T08:43:59.517+00:00

What is the exact error message you are getting? Are you accessing the server via IP or DNS name when accessing it using UNC?

10 answers

Your answer

rr-4098 2,051 Reputation points

2022-05-21T08:43:59.517+00:00

What is the exact error message you are getting? Are you accessing the server via IP or DNS name when accessing it using UNC?

Answer 1

Hi @Arnold MIshaev

The usual reason why this happen is because UAC is enabled on the DC. The main issue with UAC is that Windows Explorer will start always started with reduced permissions and there is no way to start an new instance of Windows Explorer with Run As Administrator, as there can only be one instance running, so will always use the reduced permissions instance of Explorer. The easiest way to confirm this is to start an instance of NotePad with Ran As Administrator right and try and create a file in the sysvol share.

Gary.

Answer 2

Arnold MIshaev 216

Hi @Gary Reynolds

Thanks for your respond.

but i have disabled UAC via control panel then rebooted the server and it doesn't help.
i also run "windows explorer" as Administrator and it appear to be same issue

Gary Reynolds 9,621 Reputation points

2022-05-20T22:03:28.623+00:00

What result did get when you tried to create a file with notepad running as administrator?

Answer 3

Arnold MIshaev 216

Hi @Gary Reynolds @rr-4098

I'm accessing via UNC path
I've attached the screenshot of the "error" message

Gary Reynolds 9,621 Reputation points

2022-05-21T23:00:09.363+00:00

And if you use notepad with run as administrator?

Answer 4

Arnold MIshaev 216

@Gary Reynolds

it's works i'm managed to create files
but after that i can't delete them from DC

Gary Reynolds 9,621 Reputation points

2022-05-22T09:26:50.91+00:00

As I mentioned above it sounds like the issue is caused by UAC, the administrator privileges have been removed from the user's access token, and Windows Explorer can't be run with administrator privileges. So unless the sysvol directory structures has write permissions to a groups other than administrators, domain admins will not have rights to write to the directory. This is why notepad with run as as administrator has rights to create the file.

You can check if UAC is limiting you privileges by using the whoami /groups

As shown above the pink highlighted groups are not included in the user access token, if these groups are used to grant access, then you will not have these rights and the access will fail.

If you are access a resource on the same server, whether it's via UNC, or drive map, it will use the restricted access token. If the sysvol share is accessed from a different server then you are not using a restricted access token and you have the rights to create and delete files. I'm not aware of any method to use Windows Explorer to get a unrestricted access token.

Gary.

Answer 5

rr-4098 2,051

Can you create a test file in the sysvol folder on one of the DC's without using the UNC path i.e C:\windows\Sysvol?

Arnold MIshaev 216 Reputation points

2022-05-22T12:17:41.14+00:00

yes i can

Share via

Can't change files in sysvol folder when access through UNC from DC

10 answers

Your answer