Forum Discussion

christianhussing's avatar
christianhussing
Copper Contributor
Nov 15, 2024

Right click - new folder only....

Hey, I am deploying Windows 11 and Server 2022 with MDT. During the setup as administrator, I am able to do a right click in Windows Explorer and select - New - New Textfile. At the end of the task...
Mks_1973's avatar
Mks_1973
Iron Contributor
Nov 15, 2024

try these:

Run gpedit.msc and navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
Check the following policies:
User Account Control: Admin Approval Mode for the Built-in Administrator account – Should be Enabled.
User Account Control: Run all administrators in Admin Approval Mode – Should be Enabled.
If these policies are disabled, the context menu options may not work correctly under UAC.


Ensure the new user has the necessary NTFS permissions for the directories where they need access. While the user is in the Administrators group, UAC could prevent full permissions.
To test, try manually assigning Full Control permissions to the C:\Drivers or another directory, and check if the user sees the full set of "New" options.
This step is crucial because UAC might restrict write permissions even for administrators unless explicitly granted.


For directories where you want the user to see more "New" options, change the ownership to the new user.
Right-click the folder > Properties > Security tab > Advanced > Change Owner to the new user.
Confirm if this resolves the limited menu options.


If your MDT task sequence has any customizations or scripts related to permissions or group memberships, double-check that there isn’t anything affecting the newly created user's rights.
Also, ensure that the task sequence doesn’t have steps that modify UAC settings, as this could be causing the behavior differences between the Administrator and newly created users.

Check permissions under HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers to make sure they include Administrators with proper access.

 

------------------------------------------------

 

If none of the above troubleshooting steps resolve the issue and EnableLUA = 0 is the only fix, consider if UAC is necessary for your environment. Disabling UAC is generally not recommended, but if your security policy allows it and the context menu options are essential, setting EnableLUA to 0 may be a practical solution.

Alternatively, if the limited "New" options are only problematic in certain folders, focus on adjusting NTFS permissions and folder ownership for those specific directories rather than globally modifying UAC settings.

 

  • Mks_1973's avatar
    Mks_1973
    Iron Contributor
    Nov 18, 2024

    This is not a Windows bug but a misconfiguration caused by MDT task sequences altering NTFS permissions, UAC settings, or security baselines. Possible leftover configurations or permissions from the base (master) image.

    Yes, resetting NTFS permissions with icacls is a worthwhile step to address potential misconfigurations.
    Explicitly granting full permissions to the Administrators group on C: ensures consistent behavior:

    icacls C:\ /grant Administrators:(OI)(CI)F /T

    Follow this with: takeown /F C:\ /R /D Y (To ensure ownership of all files and folders is assigned to Administrators)


    See below in detail:
    ++++++++++++++++++++++++++++++++++++++
    compare the NTFS permissions on C: vs D: using the command:

    icacls C:\ /T > C_Permissions.txt
    icacls D:\ /T > D_Permissions.txt


    Manually Reset NTFS Permissions to default:
    icacls C:\ /reset /T /C /Q
    (After resetting, verify if the issue persists.)


    Review the specific MDT task sequences modifying permissions, applying security baselines, or affecting UAC settings.
    Temporarily disable any task applying custom security configurations, and test the deployment without them to isolate the root cause.


    Since you mentioned manually assigning NTFS permissions resolves the issue, automate this using icacls in MDT. e.g. icacls C:\ /grant Administrators:(OI)(CI)F /T      ( Add this command as a post-deployment task to ensure all administrators have full permissions )


    Identify the unknown SID using PowerShell:
    Get-ACL "HKCR:\Directory\Background\shellex\ContextMenuHandlers" | Format-List

    Remove the orphaned entry:
    Remove-ItemProperty -Path "HKCR:\Directory\Background\shellex\ContextMenuHandlers" -Name "<SID>"

    Recreate a fresh MDT deployment without customization to isolate potential deployment-induced issues. Compare the results with your current deployment.


    Change the owner of the C: drive recursively to Administrators:
    takeown /F C:\ /R /D Y







Resources