Jump to content

Access Is Denied - HELP!

Guest Dave Durand

By Guest Dave Durand
in Windows 2003 Server

 Share

Recommended Posts

Guest Dave Durand

Guest Dave Durand

Posted
Posted

Scenario...

 

Two forests, one domain (parent only) in each forest. User accounts are in

DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access

to.

 

First off there is a trust between both domains. The trust isn't transitive

but I'm assuming that is because neither domain has any child

domains....please correct if I'm wrong. Each side of the trust is configured

with Domain-wide authentication.

 

To grant the permissions, I created a universal group on DOMAIN1 and put my

users in the group. On DOMAIN2 I created a domain local group and put the

universal group from DOMAIN1 into the previously created domain local group

on DOMAIN2. I assigned read access at the share and file system levels for

the domain local group in DOMAIN2.

 

When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get

an access is denied message. The mapping actually runs during a login script

and DOMAIN2 shows positive security events showing the user authentication

from DOMAIN1 is successful.

 

What did I do wrong?

 

MrDurand

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Ryan Hanisco

Guest Ryan Hanisco

Posted
Posted

RE: Access Is Denied - HELP!

 

Hi Dave,

 

When not using the script, can you access the shares and files directly

through browsing or UNC path. I would pull the script out of the equation to

make sure that there wasn't something else causing the hassle.

 

I would also go through again to make sure you had access to both the file

and share permissions. You did mention that you did that, but it is worth

checking again. If all of that checks out, I would look at when the script

is loading. If the script is hitting before the profile is fully logged in

(running as a machine script or synchronously with the GINA) then it may not

have the token generated yet when the script tries to map.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

http://www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"Dave Durand" wrote:

> Scenario...

>

> Two forests, one domain (parent only) in each forest. User accounts are in

> DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access

> to.

>

> First off there is a trust between both domains. The trust isn't transitive

> but I'm assuming that is because neither domain has any child

> domains....please correct if I'm wrong. Each side of the trust is configured

> with Domain-wide authentication.

>

> To grant the permissions, I created a universal group on DOMAIN1 and put my

> users in the group. On DOMAIN2 I created a domain local group and put the

> universal group from DOMAIN1 into the previously created domain local group

> on DOMAIN2. I assigned read access at the share and file system levels for

> the domain local group in DOMAIN2.

>

> When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get

> an access is denied message. The mapping actually runs during a login script

> and DOMAIN2 shows positive security events showing the user authentication

> from DOMAIN1 is successful.

>

> What did I do wrong?

>

> MrDurand

Guest Dave Durand

Guest Dave Durand

Posted
Posted

RE: Access Is Denied - HELP!

 

Ryan,

 

Just an FYI...I double and triple checked the permissions and they don't get

any cleaner being by the book. Here is some additional info...the access

works fine with a Windows Vista client however the Access Is Denied is

showing up on the Windows XP Pro SP2 workstations only.

 

I'm wondering if something is wrong with Kerberos or the authentication

mechanism. Is there anyway for me to make sure everything is NTLM? At least

that has worked for years.

 

I'll see if the XP clients show anything in the log but the security logs on

the DC in DOMAIN2 where the actual shares are located show successful

authentication from the user in DOMAIN1 via the trust so I'm not sure what

the problem is.

 

Dave

 

"Ryan Hanisco" wrote:

> Hi Dave,

>

> When not using the script, can you access the shares and files directly

> through browsing or UNC path. I would pull the script out of the equation to

> make sure that there wasn't something else causing the hassle.

>

> I would also go through again to make sure you had access to both the file

> and share permissions. You did mention that you did that, but it is worth

> checking again. If all of that checks out, I would look at when the script

> is loading. If the script is hitting before the profile is fully logged in

> (running as a machine script or synchronously with the GINA) then it may not

> have the token generated yet when the script tries to map.

> --

> Ryan Hanisco

> MCSE, MCTS: SQL 2005, Project+

> http://www.techsterity.com

> Chicago, IL

>

> Remember: Marking helpful answers helps everyone find the info they need

> quickly.

>

>

> "Dave Durand" wrote:

>

> > Scenario...

> >

> > Two forests, one domain (parent only) in each forest. User accounts are in

> > DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access

> > to.

> >

> > First off there is a trust between both domains. The trust isn't transitive

> > but I'm assuming that is because neither domain has any child

> > domains....please correct if I'm wrong. Each side of the trust is configured

> > with Domain-wide authentication.

> >

> > To grant the permissions, I created a universal group on DOMAIN1 and put my

> > users in the group. On DOMAIN2 I created a domain local group and put the

> > universal group from DOMAIN1 into the previously created domain local group

> > on DOMAIN2. I assigned read access at the share and file system levels for

> > the domain local group in DOMAIN2.

> >

> > When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get

> > an access is denied message. The mapping actually runs during a login script

> > and DOMAIN2 shows positive security events showing the user authentication

> > from DOMAIN1 is successful.

> >

> > What did I do wrong?

> >

> > MrDurand

Guest Dave Durand

Guest Dave Durand

Posted
Posted

RE: Access Is Denied - HELP!

 

I'm thinking this is an issue with the secure channel between the workstation

and domain somehow. Can anyone help me get pointed in the right direction to

determine why this isn't working consistently. Now I just had a user who

can't access on the Vista machine but can access on the XP machine. I can't

find any consistency with this only applying to certain users or certain

machines. What gives?

 

Dave

 

 

 

"Dave Durand" wrote:

> Ryan,

>

> Just an FYI...I double and triple checked the permissions and they don't get

> any cleaner being by the book. Here is some additional info...the access

> works fine with a Windows Vista client however the Access Is Denied is

> showing up on the Windows XP Pro SP2 workstations only.

>

> I'm wondering if something is wrong with Kerberos or the authentication

> mechanism. Is there anyway for me to make sure everything is NTLM? At least

> that has worked for years.

>

> I'll see if the XP clients show anything in the log but the security logs on

> the DC in DOMAIN2 where the actual shares are located show successful

> authentication from the user in DOMAIN1 via the trust so I'm not sure what

> the problem is.

>

> Dave

>

> "Ryan Hanisco" wrote:

>

> > Hi Dave,

> >

> > When not using the script, can you access the shares and files directly

> > through browsing or UNC path. I would pull the script out of the equation to

> > make sure that there wasn't something else causing the hassle.

> >

> > I would also go through again to make sure you had access to both the file

> > and share permissions. You did mention that you did that, but it is worth

> > checking again. If all of that checks out, I would look at when the script

> > is loading. If the script is hitting before the profile is fully logged in

> > (running as a machine script or synchronously with the GINA) then it may not

> > have the token generated yet when the script tries to map.

> > --

> > Ryan Hanisco

> > MCSE, MCTS: SQL 2005, Project+

> > http://www.techsterity.com

> > Chicago, IL

> >

> > Remember: Marking helpful answers helps everyone find the info they need

> > quickly.

> >

> >

> > "Dave Durand" wrote:

> >

> > > Scenario...

> > >

> > > Two forests, one domain (parent only) in each forest. User accounts are in

> > > DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access

> > > to.

> > >

> > > First off there is a trust between both domains. The trust isn't transitive

> > > but I'm assuming that is because neither domain has any child

> > > domains....please correct if I'm wrong. Each side of the trust is configured

> > > with Domain-wide authentication.

> > >

> > > To grant the permissions, I created a universal group on DOMAIN1 and put my

> > > users in the group. On DOMAIN2 I created a domain local group and put the

> > > universal group from DOMAIN1 into the previously created domain local group

> > > on DOMAIN2. I assigned read access at the share and file system levels for

> > > the domain local group in DOMAIN2.

> > >

> > > When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get

> > > an access is denied message. The mapping actually runs during a login script

> > > and DOMAIN2 shows positive security events showing the user authentication

> > > from DOMAIN1 is successful.

> > >

> > > What did I do wrong?

> > >

> > > MrDurand

 Share
Go to topic listing
×
×
  • Create New...