Questions

domain groups not allowing folder access for some users

+
0 Votes
Locked

domain groups not allowing folder access for some users

mgaruccio
recently we performed a permissions change on a server that was using local groups to provide permissions and created domain groups to provide access, after this change several of the users that are in the new groups complain that they are unable to access files, share permissions were set to read/change for users and have not been modified. Any test account is working correctly and effective permissions show that the users have access to the files but when they try to connect they get access denied. Adding them explicitly to the ACL allows folder access. I've checked just about everything I know to check when dealing with folder permissions but they all look correct, is there anything I could be missing?
  • +
    0 Votes
    jennylembert

    Make sure you have all the correct permissions assigned as per this article:

    https://lbis.kenyon.edu/helpline/networksecurityandfilesharing/settingaccesspermissions

    Good luck.

    +
    0 Votes
    mgaruccio

    Permissions settings have been checked by 3 different admins and rechecked by creating a new user with identical groups, the test account can access the folder but not the user, other users in the group can access without a problem and there are no denies set anywhere.

    +
    0 Votes
    CG IT

    not enough information.

    you said you recently changed security from local machine to domain. What else did you change over from local machine to domain? local machine and domain are two different security models. one, of course, is local to the machine and controlled by local machine policy. Domain is domain wide and controlled by Active Directory

    +
    0 Votes
    mgaruccio

    The server was originally configured with Local groups that had access to files and had domain groups and users added to them. each local group was replaced with a domain global group and had all users and groups added to it and was given the same rights in the folders ACL's. I don't feel that group membership should be an issue as a test account created with the exact same group memberships as the problem users has no problems accessing the files, only certain users get access denied even though effective permissions shows that they have access but they are suddenly able to access the folder once they are added explicitly to the ACL.

    +
    0 Votes
    CG IT

    you still haven't provided enough information. specifically what users are being impacted. Domain users or local machine users. Local groups implies local machine users. domain groups implies domain users. When you change rights to access a shared folder, the changes impact users. Removing local security groups and users that members of that group, you have effectively removed rights to access the shared folder for that group and the users that are members of that group. One way to grant rights to users of a security group that has been removed from shared folder rights is to add them in explicitly. That grants those users explicit rights to access the share.
    Remember that rights and permissions are combined together for users with rights and permissions assigned individually to a user and to groups the user belongs to with most restrictive rights applying, with the Deny permission trumping everything.

    +
    0 Votes
    mgaruccio

    All users log in with domain accounts, and local accounts were never used on the server, only local groups. the server was originally configured with local groups that had domain users and domain groups as members, as I said in the original post all the local groups were replaced with domain groups that were granted all the same file access as the old local groups and then had all the members of the old local groups added to them. per normal best practices denies are not set anywhere and share permissions are set to allow everyone full control with actual handling of permissions being done by NTFS and running effective permissions against the user accounts that are getting access denied shows that they should have access.

    +
    0 Votes
    glen.harris

    May sound stupid, but have you tried getting one of the affected users to log onto a different workstation (one that you know people can connect to the folder from) to see if the result is the same?

  • +
    0 Votes
    jennylembert

    Make sure you have all the correct permissions assigned as per this article:

    https://lbis.kenyon.edu/helpline/networksecurityandfilesharing/settingaccesspermissions

    Good luck.

    +
    0 Votes
    mgaruccio

    Permissions settings have been checked by 3 different admins and rechecked by creating a new user with identical groups, the test account can access the folder but not the user, other users in the group can access without a problem and there are no denies set anywhere.

    +
    0 Votes
    CG IT

    not enough information.

    you said you recently changed security from local machine to domain. What else did you change over from local machine to domain? local machine and domain are two different security models. one, of course, is local to the machine and controlled by local machine policy. Domain is domain wide and controlled by Active Directory

    +
    0 Votes
    mgaruccio

    The server was originally configured with Local groups that had access to files and had domain groups and users added to them. each local group was replaced with a domain global group and had all users and groups added to it and was given the same rights in the folders ACL's. I don't feel that group membership should be an issue as a test account created with the exact same group memberships as the problem users has no problems accessing the files, only certain users get access denied even though effective permissions shows that they have access but they are suddenly able to access the folder once they are added explicitly to the ACL.

    +
    0 Votes
    CG IT

    you still haven't provided enough information. specifically what users are being impacted. Domain users or local machine users. Local groups implies local machine users. domain groups implies domain users. When you change rights to access a shared folder, the changes impact users. Removing local security groups and users that members of that group, you have effectively removed rights to access the shared folder for that group and the users that are members of that group. One way to grant rights to users of a security group that has been removed from shared folder rights is to add them in explicitly. That grants those users explicit rights to access the share.
    Remember that rights and permissions are combined together for users with rights and permissions assigned individually to a user and to groups the user belongs to with most restrictive rights applying, with the Deny permission trumping everything.

    +
    0 Votes
    mgaruccio

    All users log in with domain accounts, and local accounts were never used on the server, only local groups. the server was originally configured with local groups that had domain users and domain groups as members, as I said in the original post all the local groups were replaced with domain groups that were granted all the same file access as the old local groups and then had all the members of the old local groups added to them. per normal best practices denies are not set anywhere and share permissions are set to allow everyone full control with actual handling of permissions being done by NTFS and running effective permissions against the user accounts that are getting access denied shows that they should have access.

    +
    0 Votes
    glen.harris

    May sound stupid, but have you tried getting one of the affected users to log onto a different workstation (one that you know people can connect to the folder from) to see if the result is the same?