NTFS Security Group fails to provide correct access to folders

  • Thread starter Thread starter stu_derek
  • Start date Start date
S

stu_derek

I have created a Global Windows security group that contains 10 users and
applied the group to a folder on a file server to give the users in this
group Read/Mod access to the data contained.

However, 8 out of the 10 users have NO access to the folder when I check the
'Effective permissions' (the other two are fine). If I add the users to the
folder explicitly then access is ok. It seems that Windows is not succesfully
enumerating the group memberships and granting the required level of access
to all users. The users are added to a Global group and are not specifically
denied access to the folder elsewhere.

Has ayone else encountered a situation like this where group membership just
doesn't seem to be correctly enumerated? I have no error messages present int
he Event Viewer on the File server or the DC that the group belongs to...
 
A possibility that you may already have thought of: group membership is
cached locally on a computer at the time the user logs on (starts a Window
Session) on a computer. So, if you change group membership to adjust a
user's access to something, they won't get the change in group membership
and thus the change in permissions, until they logoff and logon.

I've also found sometimes that the "Effective Permissions" tab doesn't
allways give the right answer; I have not narrowed this down to any
particular scenario.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"stu_derek" <studerek@discussions.microsoft.com> wrote in message
news:E1788C3C-0B2E-4DC0-A680-A47A20144F71@microsoft.com...
>I have created a Global Windows security group that contains 10 users and
> applied the group to a folder on a file server to give the users in this
> group Read/Mod access to the data contained.
>
> However, 8 out of the 10 users have NO access to the folder when I check
> the
> 'Effective permissions' (the other two are fine). If I add the users to
> the
> folder explicitly then access is ok. It seems that Windows is not
> succesfully
> enumerating the group memberships and granting the required level of
> access
> to all users. The users are added to a Global group and are not
> specifically
> denied access to the folder elsewhere.
>
> Has ayone else encountered a situation like this where group membership
> just
> doesn't seem to be correctly enumerated? I have no error messages present
> int
> he Event Viewer on the File server or the DC that the group belongs to...
 
Thanks Bruce,

I had considered this myself and had asked users to log-off and log back on,
but it still didn't work. I assumed that the 'Effective Permissions' function
would simply query the AD and not be dependent on cached permissions on
machines.

Interestingly, out of the 10 users who had no access to the folder
lastnnight, 5 now do - perhaps they have logged off and logged back on this
morning...

I'll reserve judgement and see how things go, but any other advice would
still be welcome!

Thanks,

Stuart

"Bruce Sanderson" wrote:

> A possibility that you may already have thought of: group membership is
> cached locally on a computer at the time the user logs on (starts a Window
> Session) on a computer. So, if you change group membership to adjust a
> user's access to something, they won't get the change in group membership
> and thus the change in permissions, until they logoff and logon.
>
> I've also found sometimes that the "Effective Permissions" tab doesn't
> allways give the right answer; I have not narrowed this down to any
> particular scenario.
>
> --
> Bruce Sanderson MVP Printing
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>
> "stu_derek" <studerek@discussions.microsoft.com> wrote in message
> news:E1788C3C-0B2E-4DC0-A680-A47A20144F71@microsoft.com...
> >I have created a Global Windows security group that contains 10 users and
> > applied the group to a folder on a file server to give the users in this
> > group Read/Mod access to the data contained.
> >
> > However, 8 out of the 10 users have NO access to the folder when I check
> > the
> > 'Effective permissions' (the other two are fine). If I add the users to
> > the
> > folder explicitly then access is ok. It seems that Windows is not
> > succesfully
> > enumerating the group memberships and granting the required level of
> > access
> > to all users. The users are added to a Global group and are not
> > specifically
> > denied access to the folder elsewhere.
> >
> > Has ayone else encountered a situation like this where group membership
> > just
> > doesn't seem to be correctly enumerated? I have no error messages present
> > int
> > he Event Viewer on the File server or the DC that the group belongs to...
>
 
Perhaps there are long delays in replication between domain controllers, if
there is more than one. On the domain controllers, look in the Event Logs
for the replication and AD services.

--
Bruce Sanderson MVP
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.


"stu_derek" <studerek@discussions.microsoft.com> wrote in message
news:5D6EA22F-0453-4BA0-AFF7-C30027373592@microsoft.com...
> Thanks Bruce,
>
> I had considered this myself and had asked users to log-off and log back
> on,
> but it still didn't work. I assumed that the 'Effective Permissions'
> function
> would simply query the AD and not be dependent on cached permissions on
> machines.
>
> Interestingly, out of the 10 users who had no access to the folder
> lastnnight, 5 now do - perhaps they have logged off and logged back on
> this
> morning...
>
> I'll reserve judgement and see how things go, but any other advice would
> still be welcome!
>
> Thanks,
>
> Stuart
>
> "Bruce Sanderson" wrote:
>
>> A possibility that you may already have thought of: group membership is
>> cached locally on a computer at the time the user logs on (starts a
>> Window
>> Session) on a computer. So, if you change group membership to adjust a
>> user's access to something, they won't get the change in group membership
>> and thus the change in permissions, until they logoff and logon.
>>
>> I've also found sometimes that the "Effective Permissions" tab doesn't
>> allways give the right answer; I have not narrowed this down to any
>> particular scenario.
>>
>> --
>> Bruce Sanderson MVP Printing
>> http://members.shaw.ca/bsanders
>>
>> It is perfectly useless to know the right answer to the wrong question.
>>
>>
>>
>> "stu_derek" <studerek@discussions.microsoft.com> wrote in message
>> news:E1788C3C-0B2E-4DC0-A680-A47A20144F71@microsoft.com...
>> >I have created a Global Windows security group that contains 10 users
>> >and
>> > applied the group to a folder on a file server to give the users in
>> > this
>> > group Read/Mod access to the data contained.
>> >
>> > However, 8 out of the 10 users have NO access to the folder when I
>> > check
>> > the
>> > 'Effective permissions' (the other two are fine). If I add the users to
>> > the
>> > folder explicitly then access is ok. It seems that Windows is not
>> > succesfully
>> > enumerating the group memberships and granting the required level of
>> > access
>> > to all users. The users are added to a Global group and are not
>> > specifically
>> > denied access to the folder elsewhere.
>> >
>> > Has ayone else encountered a situation like this where group membership
>> > just
>> > doesn't seem to be correctly enumerated? I have no error messages
>> > present
>> > int
>> > he Event Viewer on the File server or the DC that the group belongs
>> > to...
>>
 

Similar threads

AWS
September 2023 - Microsoft 365 US Public Sector Roadmap Newsletter
Replies
0
Views
157
AWS
AWS
AWS
How to restore backups from Amazon S3 to Azure SQL Managed Instance
Replies
0
Views
172
AWS
AWS
AWS
Announcing the Release of Azure Data Studio 1.42
Replies
0
Views
139
AWS
AWS
AWS
November 2022 - Microsoft 365 US Public Sector Roadmap Newsletter
Replies
0
Views
407
AWS
AWS
AWS
What’s New in Microsoft Teams | October 2022
Replies
0
Views
169
AWS
AWS
Back
Top