I'm hoping someone can help me with this NTFS permissions problem. The short version is that I can't write a new file in F:\SomeDir even though I seem to be granted full permissions via both the "Domain Admins" group and a second unprivileged group. The "Effective Permissions" tab in the explorer permissions UI shows that I have full control, and there are no "Deny"s anywhere in the ACL or anything else that looks unusual. I am logged into the machine over RDP and accessing the disk directly, not through a share.

F:\SomeDir>set U
USERDNSDOMAIN=THEOFFICE.LOCAL
USERDOMAIN=THEOFFICE
USERNAME=thisisme
USERPROFILE=C:\Users\thisisme

F:\SomeDir>icacls .
. BUILTIN\Administrators:(I)(F)
  CREATOR OWNER:(I)(OI)(CI)(IO)(F)
  THEOFFICE\Domain Admins:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files

F:\SomeDir>net group /domain "Domain Admins"
The request will be processed at a domain controller for domain THEOFFICE.local.

Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator        thatguy                  thisisme
The command completed successfully.

F:\SomeDir>echo "whyUNoCreateFile?" > whyUNoCreateFile.txt
Access is denied.

I searched for answers and came across similar problems that lead to UAC (ex. Why does removing the EVERYONE group prevent domain admins from accessing a drive? ). I can't turn off UAC at the moment, so I try a "regular" group that I'm also part of. This group has no special rights assignments and is not part of any administrative groups. Still no dice:

[***** This one command executed in an elevated shell *****]
F:\SomeDir>icacls . /grant THEOFFICE\iteveryone:(OI)(CI)F
processed file: .
Successfully processed 1 files; Failed processing 0 files


F:\SomeDir>net group /domain "iteveryone"
The request will be processed at a domain controller for domain THEOFFICE.local.

Group name     ITeveryone
Comment        

Members

-------------------------------------------------------------------------------
Administrator       thatguy                    thisisme
otherguy                someitguy
The command completed successfully.

F:\ScanningVMsForIBM>echo y > u
Access is denied.

As you can see, using a "regular" group didn't help. I have logged out and back in to the server to ensure my login token is up to date, and at any rate I belonged to these groups before the server was created.

If I grant explicit permission to myself, it does allow me to write files:

[***** This one command executed in an elevated shell *****]
F:\SomeDir>icacls . /grant THEOFFICE\thisisme:(OI)(CI)F
processed file: .
Successfully processed 1 files; Failed processing 0 files

F:\SomeDir>echo y > u

F:\SomeDir>type u
y

My requirement is for the "Domain Admins" group to have Full Control, or if that's not possible without disabling UAC, then a second group will do, but I can't get either to work.

I'm really stumped. Can someone please point out what I could be overlooking?