Deny acces rights for members in group are not enforced

G Lukken 1 Reputation point
2020-08-24T11:25:27.83+00:00

Hello,

I'm using Windows 2016 standard server that is joined in a domain. The domain admins are placed in the local administrators group, but I don't want the domain admins to be able to write or change data on the D-drive of the server. I've set the following security access rights on the D-Drive: 

User            Access          Acces type   Scope
SYSTEM          Full Control    allow        This folder, subfolders and files
CREATOR OWNER   Full control    allow        Subfolders and files only
Users           Read & execute  allow        This folders, subfolders and files
Administrators  Full Control    allow        This folder, subfolders and files
Domain Admins   Special*        deny         This folders, subfolders and files

*: Create Files/write data; Create folders/append data; Write attributes; Write extended attributes; Delete subfolders and files; Delete; Change permissions; Take ownership

I would assume that due to the deny rights (overriding the allow rights), the Domain Admins should not be able to write/change anything on the D-Drive, but I can freely change anything on that drive when attaching the D drive from any computer in the network using a Domain Administrator account!

On the other hand, after explicitly denying the ('personal') DOMAIN\Administrator write access to the D-Drive (using the same special rights as for the Domain Admins group) , the access rights are enforced correctly and the administrator cannot change anything on the drive

Why are the Domain Admins group deny rights not enforced, while the 'personal' account is?

Regards,
Ge.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,515 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,774 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,116 Reputation points MVP
    2020-08-24T11:38:06.943+00:00

    What you are trying to do is not really doable. Domain Admins group have Take Ownership right on AD domain level, and through local admin rights, thus they can easily take ownership over the object and modify permissions as they wish. Using Deny permissions is not a security control.

    If you don't trust your admins, fire and find another one. Or do not grant excessive permissions. Do not ever use Deny permissions. If you do -- you are doing something wrong.

    Why are the Domain Admins group deny rights not enforced, while the 'personal' account is?

    because UAC do not include Domain Admins group token in Windows Explorer session. That is, explorer doesn't recognize them as domain admins, as the result, Deny permissions are not enforced.

    0 comments
  2. Fan Fan 15,321 Reputation points Microsoft Vendor
    2020-08-25T01:48:02.817+00:00

    Hi,
    To know the issue more clearly, would you please which permissions did you set for deny on the domain admins.
    Actually, when i deny the write permission , domain admins wasn't able to change anything under the folder.
    19956-8252.png

    0 comments
  3. G Lukken 1 Reputation point
    2020-08-26T14:31:25.347+00:00

    @Fan Fan :

    As mentioned in the question at the *, deny on the following special access rights::

    Create Files/write data
    Create folders/append data
    Write attributes
    Write extended attributes
    Delete subfolders and files
    Delete
    Change permissions
    Take ownership

  4. G Lukken 1 Reputation point
    2020-08-28T06:58:15.183+00:00

    I set it through the GUI. The effective access rights is full control on everything for any member of the domain admins group (!)