I am running Windows 2008 Server Standard RC1 and have a directory that has the local Administrators group with full control on it. The Domain Admins group is a member of the local Administrators group. When I am logged in as a Domain Admin, I can read files and folder under this directory, but I cannot write to files. Using SysInternals Process Monitor I get an Access Denied as the Domain Admin I am logged in as. If I assign this specific Domain Admin user full control on this directory, the problem goes away. Why can I read but not write asDomain Admin on this directory?

It may be a shot in the dark, but I would check to make sure that replication is working properly. It is a remote possibility that the user that you are logging in as may be in the domain admins group on several DCs, but not the one the server that is denying your request is checking for authentication because the addition to the group never made it through the whole domain.

Since you have Process Explorer loaded already, check your process token. If you are logged on as _a_ domain admin, not _the_ domain Administrator (capitals intended) you are subject to User Account Control (UAC). You will see this manifested in the fact that your token has the Administrators SID set to Deny only, which means it can only be used to deny access. You need to either access the files from an elevated command prompt, or grant access to Domain Admins, not to the local Administrators group. <shameless plug> BTW, this is documented in the forthcoming Windows Server 2008 Security Resource Kit (http://www.amazon.com/dp/0735625042?tag=protectyourwi-20). That book also comes with a tool that lets you launch an elevated instance of Windows Explorer, which lets you leave the ACL the way it is and access the files from the elevated window instead. </shameless plug>