Windows File Server – You don’t currently have permission to access this folder.

This in an issues that has been bothering me for quite some time and still exists in Windows Server 2012R2. With the introduction of Windows Vista came the first implementation of User Account Control (UAC) and with it, this Windows file server NTFS permission issue. For years I have just ignored it and carried on but during a recent File Server Migration I reviewed NTFS permission and noted that almost every Admin that had ever managed this File Server and been granted explicit access rights. Over the years this left quite a mess and some orphan entries in the ACL’s.

When accessing a folder on a Windows file server, it prompts saying “You don’t currently have permission to access this folder”.  We know this folder has the following permissions set on it:

  • Local Administrators – Full Control
  • Domain Administrators – Full Control
  • User Access Group – Full Control

permission_to_accessThe user account I use is a member of the Domain Admins as well as being nested in the local Administrator group on the File Server and hence I should have access to this folder. If I click continue to this prompt, UAC will automatically add my user name with full control permissions to the folder and all sub folders and files which I’m attempting to access.  With multiple administrators having done the same over the years this has resulted in unwanted user name ACL’s spread across folders and files throughout the file server making the permission structure a mess.

SOLUTION

There are three group policy settings are responsible for this behaviour which can be found under:

Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options

  • User Account Control: Admin Approval Mode for the Built-in Administrator account
  • User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
  • User Account Control: Run all administrators in Admin Approval Mode

Set the policies settings as follows in the following order as per the screenshot below:

gpo_local_policiesI have used gpedit.msc to make the changes on the local File Server only. You can of course create a GPO and apply to all of your (File) Servers.

Now, when a administrators navigate the file server they are no longer prompted to add their account to NTFS permissions and in result making a mess of my NTFS permission structure.

Pages: 1 | 2 | Multi-Page

Leave a Reply

Your email address will not be published. Required fields are marked *