General discussion

  • Creator
  • #2082590

    Group permissions causing problems


    by damian.willcox ·

    I do security administration for a large multi domain network. We have a master domain and multiple subordinate domains.
    Recently we have been experiencing problems with users losing access to directories. Typically the users are members of global groups which are in local groups.
    The local groups have permisson to access the directories but members of the global groups have suddenly lost access even though these global groups are members of the local groups.
    If I add the users individuallythey regain access and if I give direct access to the global group they regain access.
    The group structure I have inherited is a bit of a mess and to totally overhaul it would take more time than I have.
    Does anyone have any idea why this problemhas suddenly started and why it is slowly spreading to other domains?

All Comments

  • Author
    • #3892594

      Group permissions causing problems

      by morgan_donohue ·

      In reply to Group permissions causing problems

      Unfortunately I don’t have enough information to make an accurate assesment of the situation. Like whether you are adding the global groups across domains, or you are talking about local domain groups only. Also whether this is across a WAN.

      Fromthe information provided it looks like your problem may be stemming from your trust relationships across domains failing. Perhaps an increase in network traffic is dropping authentication availability between domains. This all stems back to a poor name resolution and domain architecture design. The best way to ensure that this does not fail, is to look at rationalisation of your LAN and WAN traffic, domain structure and name resolution architecture.

      Also simple things like ensuring that eachdomain PDC has an entry for all other domain PDC’s pre-loaded through the LMHOSTS file or else domain entries in the WINS database. I prefer to use the LMHOSTS file as it does not rely on other software which may fail. The format should be as follows; AUSP

    • #3777841

      Group permissions causing problems

      by miniluv ·

      In reply to Group permissions causing problems

      I would think the most likely problem is that users are members of multiple groups, one group of which doesn’t have the permissions necessary. Otherwise the thing to look at is what share the users are entering the directory through and check those permissions, because NT applies a most restrictive access policy. If what works one day suddenly stops the next day it’s probably a failure to authenticate at either the file server or a domain controller. You might set up resource monitor counters for load measuring on the PDC and BDC’s to ensure that they aren’t dropping requests.

Viewing 1 reply thread