NTFS Security Group fails to provide correct access to folders

[Guest stu_derek]

I have created a Global Windows security group that contains 10 users and

applied the group to a folder on a file server to give the users in this

group Read/Mod access to the data contained.

 

However, 8 out of the 10 users have NO access to the folder when I check the

'Effective permissions' (the other two are fine). If I add the users to the

folder explicitly then access is ok. It seems that Windows is not succesfully

enumerating the group memberships and granting the required level of access

to all users. The users are added to a Global group and are not specifically

denied access to the folder elsewhere.

 

Has ayone else encountered a situation like this where group membership just

doesn't seem to be correctly enumerated? I have no error messages present int

he Event Viewer on the File server or the DC that the group belongs to...

[Guest Bruce Sanderson]

Re: NTFS Security Group fails to provide correct access to folders

 

A possibility that you may already have thought of: group membership is

cached locally on a computer at the time the user logs on (starts a Window

Session) on a computer. So, if you change group membership to adjust a

user's access to something, they won't get the change in group membership

and thus the change in permissions, until they logoff and logon.

 

I've also found sometimes that the "Effective Permissions" tab doesn't

allways give the right answer; I have not narrowed this down to any

particular scenario.

 

--

Bruce Sanderson MVP Printing

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"stu_derek" <studerek@discussions.microsoft.com> wrote in message

news:E1788C3C-0B2E-4DC0-A680-A47A20144F71@microsoft.com...

>I have created a Global Windows security group that contains 10 users and

> applied the group to a folder on a file server to give the users in this

> group Read/Mod access to the data contained.

>

> However, 8 out of the 10 users have NO access to the folder when I check

> the

> 'Effective permissions' (the other two are fine). If I add the users to

> the

> folder explicitly then access is ok. It seems that Windows is not

> succesfully

> enumerating the group memberships and granting the required level of

> access

> to all users. The users are added to a Global group and are not

> specifically

> denied access to the folder elsewhere.

>

> Has ayone else encountered a situation like this where group membership

> just

> doesn't seem to be correctly enumerated? I have no error messages present

> int

> he Event Viewer on the File server or the DC that the group belongs to...

[Guest stu_derek]

Re: NTFS Security Group fails to provide correct access to folders

 

Thanks Bruce,

 

I had considered this myself and had asked users to log-off and log back on,

but it still didn't work. I assumed that the 'Effective Permissions' function

would simply query the AD and not be dependent on cached permissions on

machines.

 

Interestingly, out of the 10 users who had no access to the folder

lastnnight, 5 now do - perhaps they have logged off and logged back on this

morning...

 

I'll reserve judgement and see how things go, but any other advice would

still be welcome!

 

Thanks,

 

Stuart

 

"Bruce Sanderson" wrote:

> A possibility that you may already have thought of: group membership is

> cached locally on a computer at the time the user logs on (starts a Window

> Session) on a computer. So, if you change group membership to adjust a

> user's access to something, they won't get the change in group membership

> and thus the change in permissions, until they logoff and logon.

>

> I've also found sometimes that the "Effective Permissions" tab doesn't

> allways give the right answer; I have not narrowed this down to any

> particular scenario.

>

> --

> Bruce Sanderson MVP Printing

> http://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

>

>

> "stu_derek" <studerek@discussions.microsoft.com> wrote in message

> news:E1788C3C-0B2E-4DC0-A680-A47A20144F71@microsoft.com...

> >I have created a Global Windows security group that contains 10 users and

> > applied the group to a folder on a file server to give the users in this

> > group Read/Mod access to the data contained.

> >

> > However, 8 out of the 10 users have NO access to the folder when I check

> > the

> > 'Effective permissions' (the other two are fine). If I add the users to

> > the

> > folder explicitly then access is ok. It seems that Windows is not

> > succesfully

> > enumerating the group memberships and granting the required level of

> > access

> > to all users. The users are added to a Global group and are not

> > specifically

> > denied access to the folder elsewhere.

> >

> > Has ayone else encountered a situation like this where group membership

> > just

> > doesn't seem to be correctly enumerated? I have no error messages present

> > int

> > he Event Viewer on the File server or the DC that the group belongs to...

>

[Guest Bruce Sanderson]

Re: NTFS Security Group fails to provide correct access to folders

 

Perhaps there are long delays in replication between domain controllers, if

there is more than one. On the domain controllers, look in the Event Logs

for the replication and AD services.

 

--

Bruce Sanderson MVP

http://members.shaw.ca/bsanders/

It's perfectly useless to know the right answer to the wrong question.

 

 

"stu_derek" <studerek@discussions.microsoft.com> wrote in message

news:5D6EA22F-0453-4BA0-AFF7-C30027373592@microsoft.com...

> Thanks Bruce,

>

> I had considered this myself and had asked users to log-off and log back

> on,

> but it still didn't work. I assumed that the 'Effective Permissions'

> function

> would simply query the AD and not be dependent on cached permissions on

> machines.

>

> Interestingly, out of the 10 users who had no access to the folder

> lastnnight, 5 now do - perhaps they have logged off and logged back on

> this

> morning...

>

> I'll reserve judgement and see how things go, but any other advice would

> still be welcome!

>

> Thanks,

>

> Stuart

>

> "Bruce Sanderson" wrote:

>

>> A possibility that you may already have thought of: group membership is

>> cached locally on a computer at the time the user logs on (starts a

>> Window

>> Session) on a computer. So, if you change group membership to adjust a

>> user's access to something, they won't get the change in group membership

>> and thus the change in permissions, until they logoff and logon.

>>

>> I've also found sometimes that the "Effective Permissions" tab doesn't

>> allways give the right answer; I have not narrowed this down to any

>> particular scenario.

>>

>> --

>> Bruce Sanderson MVP Printing

>> http://members.shaw.ca/bsanders

>>

>> It is perfectly useless to know the right answer to the wrong question.

>>

>>

>>

>> "stu_derek" <studerek@discussions.microsoft.com> wrote in message

>> news:E1788C3C-0B2E-4DC0-A680-A47A20144F71@microsoft.com...

>> >I have created a Global Windows security group that contains 10 users

>> >and

>> > applied the group to a folder on a file server to give the users in

>> > this

>> > group Read/Mod access to the data contained.

>> >

>> > However, 8 out of the 10 users have NO access to the folder when I

>> > check

>> > the

>> > 'Effective permissions' (the other two are fine). If I add the users to

>> > the

>> > folder explicitly then access is ok. It seems that Windows is not

>> > succesfully

>> > enumerating the group memberships and granting the required level of

>> > access

>> > to all users. The users are added to a Global group and are not

>> > specifically

>> > denied access to the folder elsewhere.

>> >

>> > Has ayone else encountered a situation like this where group membership

>> > just

>> > doesn't seem to be correctly enumerated? I have no error messages

>> > present

>> > int

>> > he Event Viewer on the File server or the DC that the group belongs

>> > to...

>>