Steps to reproduce: Assume the computer is named FISHIE and it's on an AD domain called example.com: # Example 1: a local folder 1. Create a folder 2. Set security on it as follows: Remove all existing permissions and inheritance Grant full control to FISHIE\Administrators 3. Add "Domain Users" to FISHIE\Administrators 4. Log in on FISHIE as a domain user, and attempt to enter the folder. Expected behaviour: a user in the Domain Users group should be able to access the folder because Domain Users is in FISHIE\Administrators and the latter has full access to the folder. Actual behaviour: access denied. This appears to affect shares as well, sometimes?