Guest schnell Posted November 13, 2008 Posted November 13, 2008 We have a new 2008 Server setup to replace an Apple OSX server. Our first Windows file server in years so bear with me. I have a share created and gave read access to the department using it. The Data folder below that gives the department R/W access to everything. There are only 2 special access folders, on which I turned off 'Include Inherited Permissions from this objects parent' and removed the department from the list. Then I added an Active Directory group and gave them R/W. At this point my test account could browse the whole Data structure, but not see the special access folders. Good. Then I added my test account to that AD group to verify access. But it doesn't work - I couldn't get in. I needed to log off the client machine (disconnecting and reconnecting the share didn't help), and upon logging back in and reconnecting to the share I could see the secured folders. Removing the test user from the AD group had the same problem. I could access the folder for hours after, until I tried logging in and out to 'fix' the problem. I tried gpupdate on client and server to no avail. And the Effective Permissions tab shows the expected rights, but the client doesn't seem to care. Seems weird to have to log off of the client for security on the server to take affect. Server is 2008 SP1, client is XP Pro SP2. What am I missing? J Quote
Guest wasim Posted December 1, 2008 Posted December 1, 2008 I am also having same kind of problem in win2003 server. added 2 users to a group, applied permissions under share tab as full access, and under security added group with read, execute rights, but it doesn't apply unless I resatrt client(xp sp2) don't know what can be the solution. "schnell" wrote: <span style="color:blue"> > We have a new 2008 Server setup to replace an Apple OSX server. Our first > Windows file server in years so bear with me. > > I have a share created and gave read access to the department using it. The > Data folder below that gives the department R/W access to everything. There > are only 2 special access folders, on which I turned off 'Include Inherited > Permissions from this objects parent' and removed the department from the > list. Then I added an Active Directory group and gave them R/W. > > At this point my test account could browse the whole Data structure, but not > see the special access folders. Good. Then I added my test account to that AD > group to verify access. But it doesn't work - I couldn't get in. I needed to > log off the client machine (disconnecting and reconnecting the share didn't > help), and upon logging back in and reconnecting to the share I could see the > secured folders. Removing the test user from the AD group had the same > problem. I could access the folder for hours after, until I tried logging in > and out to 'fix' the problem. > > I tried gpupdate on client and server to no avail. And the Effective > Permissions tab shows the expected rights, but the client doesn't seem to > care. Seems weird to have to log off of the client for security on the server > to take affect. > > Server is 2008 SP1, client is XP Pro SP2. > > What am I missing? > > > J</span> Quote
Guest Steve Riley [MSFT] Posted December 2, 2008 Posted December 2, 2008 What you're seeing is the expected behavior. When a user logs on, Windows creates a SID (security identifier) that contains a list of the security groups the user belongs to at that particular moment. Each time that user accesses a resource, the resource compares its own access list to the user's SID to check what permissions that user has. If you subsequently change that user's group membership, there's no way for an access control list to know this. The SID gets updated only when the user next logs on. -- Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley Protect Your Windows Network: http://www.amazon.com/dp/0321336437 "wasim" <wasim@discussions.microsoft.com> wrote in message news:000B37E6-05D4-44E5-822D-EA40F16451C4@microsoft.com...<span style="color:blue"> > I am also having same kind of problem in win2003 server. added 2 users to > a > group, applied permissions under share tab as full access, and under > security > added group with read, execute rights, but it doesn't apply unless I > resatrt > client(xp sp2) > > don't know what can be the solution. > > > > "schnell" wrote: ><span style="color:green"> >> We have a new 2008 Server setup to replace an Apple OSX server. Our first >> Windows file server in years so bear with me. >> >> I have a share created and gave read access to the department using it. >> The >> Data folder below that gives the department R/W access to everything. >> There >> are only 2 special access folders, on which I turned off 'Include >> Inherited >> Permissions from this objects parent' and removed the department from the >> list. Then I added an Active Directory group and gave them R/W. >> >> At this point my test account could browse the whole Data structure, but >> not >> see the special access folders. Good. Then I added my test account to >> that AD >> group to verify access. But it doesn't work - I couldn't get in. I needed >> to >> log off the client machine (disconnecting and reconnecting the share >> didn't >> help), and upon logging back in and reconnecting to the share I could see >> the >> secured folders. Removing the test user from the AD group had the same >> problem. I could access the folder for hours after, until I tried logging >> in >> and out to 'fix' the problem. >> >> I tried gpupdate on client and server to no avail. And the Effective >> Permissions tab shows the expected rights, but the client doesn't seem to >> care. Seems weird to have to log off of the client for security on the >> server >> to take affect. >> >> Server is 2008 SP1, client is XP Pro SP2. >> >> What am I missing? >> >> >> J </span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.