Forum Discussion

christianhussing's avatar
christianhussing
Copper Contributor
Nov 15, 2024

Right click - new folder only....

Hey, I am deploying Windows 11 and Server 2022 with MDT.
During the setup as administrator, I am able to do a right click in Windows Explorer and select - New - New Textfile.
At the end of the task sequence I disable the "Administrator" and create new users which are members of the local administrators group.

 

With the login of the newly created user, the user only has the option - New - New Folder.

NTFS Permissions are showing <hostname\Administrators> - where the user belongs to.

Only owned folders, like Document, Download,Desktop see more option by right clicking.


If I set EnableLUA from 1 (Default) to 0 - all the options comming back after a system restart.
(User Account Control)

 

On a Windows Server 2022 installed from an ISO I cannot observe this behaviour.

What could causing this limited context menu ? 
If I manually assign the permissions for the new user to a folder  eg: C:\Driver - then the user sees more than the one option.

I just created a new user (completly after the MDT setup) and added this user to the local administrator group. This user also does has all the options for new....

Any ideas ?

3 Replies

  • christianhussing's avatar
    christianhussing
    Copper Contributor
    Nov 16, 2024

    Hey, thanks so far for your detailed answer. Here is want I checked.

    User Account Control: Admin Approval Mode for the Built-in Administrator account – Is Enabled.
    User Account Control: Run all administrators in Admin Approval Mode – Is Enabled.

    EnableLUA = 1 -> Reboot -> User has limited Set of New
    EnableLUA = 0 -> Reboot -> User has full Set of New
    EnableLUA = 1 -> Reboot -> User has limited Set of New

    Cannot reproduce that a newly created local Administrator can see the full set of "New" options.

    EnableLUA = 1 -> Reboot -> User has limited Set of New
    EnableLUA = 0 -> Reboot -> User has full Set of New
    Created new Local Administrator
    EnableLUA = 1 -> Reboot -> Login with new User -> Limited Set of New

    Added Local Admin explicit on NTFS permission on C:\Driver --> Full Set of new at this directory

    Check permissions under HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers
    -> contains <host>\Administrators with Full Access
    But also an unknown account - might be from the previous capturing ? (MasterImage)

    In MDT I disabled the task for setting the security policies (C.I.S.).
    But even without this policies I see the same behaviour.


    What do you think is the fault ? Is it more a windows bug or a configuration mistake ? But I do not know what would cause this behaviour. I cannot explain to myself why a user which is part of the local administrator group does not have write permissions on folders, when the security tab is showing those permissions.

    Do you think it is worth to use icalcs.exe to re-set the permissions on drive C: to user group administrators before finishing the installation ?

    By the way, partion D: which gets created during the setup does have normal permissions and I see the full options set of New.

    Tried to add an extra mdt task to reset the ntfs permissions for the local administrator group, but with the same result. 😔

  • Mks_1973's avatar
    Mks_1973
    Iron Contributor
    Nov 15, 2024

    try these:

    Run gpedit.msc and navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
    Check the following policies:
    User Account Control: Admin Approval Mode for the Built-in Administrator account – Should be Enabled.
    User Account Control: Run all administrators in Admin Approval Mode – Should be Enabled.
    If these policies are disabled, the context menu options may not work correctly under UAC.


    Ensure the new user has the necessary NTFS permissions for the directories where they need access. While the user is in the Administrators group, UAC could prevent full permissions.
    To test, try manually assigning Full Control permissions to the C:\Drivers or another directory, and check if the user sees the full set of "New" options.
    This step is crucial because UAC might restrict write permissions even for administrators unless explicitly granted.


    For directories where you want the user to see more "New" options, change the ownership to the new user.
    Right-click the folder > Properties > Security tab > Advanced > Change Owner to the new user.
    Confirm if this resolves the limited menu options.


    If your MDT task sequence has any customizations or scripts related to permissions or group memberships, double-check that there isn’t anything affecting the newly created user's rights.
    Also, ensure that the task sequence doesn’t have steps that modify UAC settings, as this could be causing the behavior differences between the Administrator and newly created users.

    Check permissions under HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers to make sure they include Administrators with proper access.

     

    ------------------------------------------------

     

    If none of the above troubleshooting steps resolve the issue and EnableLUA = 0 is the only fix, consider if UAC is necessary for your environment. Disabling UAC is generally not recommended, but if your security policy allows it and the context menu options are essential, setting EnableLUA to 0 may be a practical solution.

    Alternatively, if the limited "New" options are only problematic in certain folders, focus on adjusting NTFS permissions and folder ownership for those specific directories rather than globally modifying UAC settings.

     

    • Mks_1973's avatar
      Mks_1973
      Iron Contributor
      Nov 18, 2024

      This is not a Windows bug but a misconfiguration caused by MDT task sequences altering NTFS permissions, UAC settings, or security baselines. Possible leftover configurations or permissions from the base (master) image.

      Yes, resetting NTFS permissions with icacls is a worthwhile step to address potential misconfigurations.
      Explicitly granting full permissions to the Administrators group on C: ensures consistent behavior:

      icacls C:\ /grant Administrators:(OI)(CI)F /T

      Follow this with: takeown /F C:\ /R /D Y (To ensure ownership of all files and folders is assigned to Administrators)


      See below in detail:
      ++++++++++++++++++++++++++++++++++++++
      compare the NTFS permissions on C: vs D: using the command:

      icacls C:\ /T > C_Permissions.txt
      icacls D:\ /T > D_Permissions.txt


      Manually Reset NTFS Permissions to default:
      icacls C:\ /reset /T /C /Q
      (After resetting, verify if the issue persists.)


      Review the specific MDT task sequences modifying permissions, applying security baselines, or affecting UAC settings.
      Temporarily disable any task applying custom security configurations, and test the deployment without them to isolate the root cause.


      Since you mentioned manually assigning NTFS permissions resolves the issue, automate this using icacls in MDT. e.g. icacls C:\ /grant Administrators:(OI)(CI)F /T      ( Add this command as a post-deployment task to ensure all administrators have full permissions )


      Identify the unknown SID using PowerShell:
      Get-ACL "HKCR:\Directory\Background\shellex\ContextMenuHandlers" | Format-List

      Remove the orphaned entry:
      Remove-ItemProperty -Path "HKCR:\Directory\Background\shellex\ContextMenuHandlers" -Name "<SID>"

      Recreate a fresh MDT deployment without customization to isolate potential deployment-induced issues. Compare the results with your current deployment.


      Change the owner of the C: drive recursively to Administrators:
      takeown /F C:\ /R /D Y







Resources