domain groups not allowing folder access for some users

By mgaruccio ·
recently we performed a permissions change on a server that was using local groups to provide permissions and created domain groups to provide access, after this change several of the users that are in the new groups complain that they are unable to access files, share permissions were set to read/change for users and have not been modified. Any test account is working correctly and effective permissions show that the users have access to the files but when they try to connect they get access denied. Adding them explicitly to the ACL allows folder access. I've checked just about everything I know to check when dealing with folder permissions but they all look correct, is there anything I could be missing?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Access Permissions for files and folders

by jennylembert In reply to domain groups not allowin ...

Make sure you have all the correct permissions assigned as per this article:

Good luck.

Collapse -

permissions checked.

by mgaruccio In reply to domain groups not allowin ...

Permissions settings have been checked by 3 different admins and rechecked by creating a new user with identical groups, the test account can access the folder but not the user, other users in the group can access without a problem and there are no denies set anywhere.

Collapse -

local machine security groups and users

by CG IT In reply to domain groups not allowin ...

not enough information.

you said you recently changed security from local machine to domain. What else did you change over from local machine to domain? local machine and domain are two different security models. one, of course, is local to the machine and controlled by local machine policy. Domain is domain wide and controlled by Active Directory

Collapse -


by mgaruccio In reply to domain groups not allowin ...

The server was originally configured with Local groups that had access to files and had domain groups and users added to them. each local group was replaced with a domain global group and had all users and groups added to it and was given the same rights in the folders ACL's. I don't feel that group membership should be an issue as a test account created with the exact same group memberships as the problem users has no problems accessing the files, only certain users get access denied even though effective permissions shows that they have access but they are suddenly able to access the folder once they are added explicitly to the ACL.

Collapse -

Reponse To Answer

by CG IT In reply to changes

you still haven't provided enough information. specifically what users are being impacted. Domain users or local machine users. Local groups implies local machine users. domain groups implies domain users. When you change rights to access a shared folder, the changes impact users. Removing local security groups and users that members of that group, you have effectively removed rights to access the shared folder for that group and the users that are members of that group. One way to grant rights to users of a security group that has been removed from shared folder rights is to add them in explicitly. That grants those users explicit rights to access the share.
Remember that rights and permissions are combined together for users with rights and permissions assigned individually to a user and to groups the user belongs to with most restrictive rights applying, with the Deny permission trumping everything.

Collapse -

all domain users

by mgaruccio In reply to domain groups not allowin ...

All users log in with domain accounts, and local accounts were never used on the server, only local groups. the server was originally configured with local groups that had domain users and domain groups as members, as I said in the original post all the local groups were replaced with domain groups that were granted all the same file access as the old local groups and then had all the members of the old local groups added to them. per normal best practices denies are not set anywhere and share permissions are set to allow everyone full control with actual handling of permissions being done by NTFS and running effective permissions against the user accounts that are getting access denied shows that they should have access.

Collapse -

Reponse To Answer

by glen.harris In reply to all domain users

May sound stupid, but have you tried getting one of the affected users to log onto a different workstation (one that you know people can connect to the folder from) to see if the result is the same?

Related Discussions

Related Forums