Setup:
The machine has been joined to the domain and the Domain Admins group is part of the local administrators group.
I setup so that the local administrators group has full control, the domain\Domain Admins group has full control, and the SYSTEM built in user has full control.
Problem:
When you work locally (NOT RDP) on the server and have UAC activate you lose permissions to the folder as a domain administrator user.
Why:
Start from Windows Vista/Windows 2008, UAC is added which help increase the security level.
If UAC is enabled, all accounts belong to Administrators group (except Administrator account) are actually running as a standard user. They have permission to "run as administrator" when need to access/modify system files and/or registries.
Thus if we only add Administrators in NTFS permission, only Administrator account can access the file without "run as admin".
Solution:
The workaround is:
a) To disable UAC on the Domain Controller (not recommended)
b) Create a new group with all administrator accounts and add the group to NTFS permission as well.
The UAC filtering only happens when you are on the file server, so you could manage things from the network.
The means when you work locally on the Domain Controller and NOT with RDP you may see this behavior.
Links:
http://serverfault.com/questions/4696/administrator-file-modification-privilege