GlenBoyer
asked on
Refresh User/Group File Permissions without User re-logging in
Hi Guys, I know this is probably a very simple answer, but for the life of me I have forgotten how to refresh a Windows 2003 server so that if I add or remove a user from a group or add user to the file permissions of a diretory to force an automatic refresh across the domain so the users do not have to logout and re-loggin for those permissions to take place.
Currently looking at CACLS.
In NT, just select Server Manager and Re-Sync Domain, but in Windows 2003, I forgot.
Currently looking at CACLS.
In NT, just select Server Manager and Re-Sync Domain, but in Windows 2003, I forgot.
I am not 100% sure about this, but I think disconnecting the user from the file server (going into Computer Management --> Shared Folders --> Sessions) will do the trick. This will not unmap any drives to user may have mapped, it will only disconnect files they may have opened. The next time the user tries to use the file server they will be reauthenticated with their new group membership (assuming the DC used by the file server has been updated).
use gpupdate /force command for this purpose
If you add a user to a new group then the user has to log out and back in before the system will acknowledge they are in this group. This is because group membership is evaluated at logon and at this time the SIDs of the groups the user is a member of are stored within their session. When access is requested to any resource these SIDs are compared against the ACLs of the resource being accessed.
If a user is granted access to a resource by adding the user, or a group the user is already a member of, to the ACLs of that resource then this takes effect immediately without the user having to log out and then log back in. The next time the user tries to access the resource it should re-compare the SIDs associated with the user with the ACLs of the resource. It is possible the end user will need to close down the folder in explorer and re-open the folder to ensure the new permissions are evaluated if the ACL list has been updated, but I find normally the end user gets access straight away.
Let me know if you need further clarification.
If a user is granted access to a resource by adding the user, or a group the user is already a member of, to the ACLs of that resource then this takes effect immediately without the user having to log out and then log back in. The next time the user tries to access the resource it should re-compare the SIDs associated with the user with the ACLs of the resource. It is possible the end user will need to close down the folder in explorer and re-open the folder to ensure the new permissions are evaluated if the ACL list has been updated, but I find normally the end user gets access straight away.
Let me know if you need further clarification.
ASKER
Thanks guys, but not quite there yet.
yes I agree that the ACL is tested against the login and therefore issues an Access Token with the SID's of the locations the user has access to. And I do understand that I can make the user logout and log back in, but what I was hoping to find was a way to reset the permissions even though the user logs in.
- above stated, if the user is ALREADY (keyword) part of a group, then adding that group to a resource should make it effective immediately.
The problem is, what if the group already has membership, but you then ADD a user to that group, and the user was previously logged in? are we then forcing the user to log out and log back in... seems rude, and in NT was not necessary with Sync Domain in Server Manager.
- above stated, do a gpupdate /force, I have attempted that answer, but upon further research that is ONLY for Policies and not Permission setting, a technical difference, but unfortunately doesn't work
and yes I appreciate the effort, but still not finding a good solution. Take for example, a User that is already logged in.. say to the Accounting Group, and the Boss calls up and says, I don't want this person to have access to this particular directory. Well, even if I remove the user from that group, since the login has already approved this person of having access, and its supposedly only tested Once, the only way presently is to Force the User to log off. I would hope there is a better way.
Does anyone know if CACLS will do the trick.. I know its command line, but.. might take effect immediately..
yes I agree that the ACL is tested against the login and therefore issues an Access Token with the SID's of the locations the user has access to. And I do understand that I can make the user logout and log back in, but what I was hoping to find was a way to reset the permissions even though the user logs in.
- above stated, if the user is ALREADY (keyword) part of a group, then adding that group to a resource should make it effective immediately.
The problem is, what if the group already has membership, but you then ADD a user to that group, and the user was previously logged in? are we then forcing the user to log out and log back in... seems rude, and in NT was not necessary with Sync Domain in Server Manager.
- above stated, do a gpupdate /force, I have attempted that answer, but upon further research that is ONLY for Policies and not Permission setting, a technical difference, but unfortunately doesn't work
and yes I appreciate the effort, but still not finding a good solution. Take for example, a User that is already logged in.. say to the Accounting Group, and the Boss calls up and says, I don't want this person to have access to this particular directory. Well, even if I remove the user from that group, since the login has already approved this person of having access, and its supposedly only tested Once, the only way presently is to Force the User to log off. I would hope there is a better way.
Does anyone know if CACLS will do the trick.. I know its command line, but.. might take effect immediately..
I think you are mistaken about the purpose of Sync Domain in Server Manager on Windows NT. All this did was trigger an immediate synchronisation between PDC and BDCs to ensure the account details were updated across all Domain Controllers immediately.
This did not update group membership information for users already logged on, it merely ensured that whichever domain controller they next logged into would have the up to date details of which groups that user belonged to.
I don't believe there is any way to immediately revoke membership of a user who is currently logged on without forcing/asking them to log off first. Generally you would expect a user to log off at the end of the day and log back on in the morning so changes to group membership should take place within a day.
If users are in the habit of leaving themselves logged in at the end of the day then I would suggest trying to break this habit as it has a number of issues:
1) they may have files open when the backup process is running.
2) If there is a power outage overnight then there is a greater chance of hard drive damage as the disk may be in use at the time of the power surge.
3) Windows PCs generally become less stable the longer they remain on and get more and more likely to crash or behave erratically (this does depend on the installed software though)
4) Computers are wasting a large amount of power overnight.
I appreciate this is off topic, but may be helpful in persuading a change in the login habits of your end users.
The only way to immediatly effect a removal of access would be to add a Deny entry into the ACL for the individual user account temporarily until they next log on (Deny ACEs override any access granted via other types of ACE). I wouldn't like to leave such entries in place for long though, as they can overly complicate access control settings.
BTW: CACLS is simply a command line method of setting permissions, otherwise it will take effect in the same manner of permissions set suing the GUI.
Sorry. Not the anwer you want I'm afraid.
This did not update group membership information for users already logged on, it merely ensured that whichever domain controller they next logged into would have the up to date details of which groups that user belonged to.
I don't believe there is any way to immediately revoke membership of a user who is currently logged on without forcing/asking them to log off first. Generally you would expect a user to log off at the end of the day and log back on in the morning so changes to group membership should take place within a day.
If users are in the habit of leaving themselves logged in at the end of the day then I would suggest trying to break this habit as it has a number of issues:
1) they may have files open when the backup process is running.
2) If there is a power outage overnight then there is a greater chance of hard drive damage as the disk may be in use at the time of the power surge.
3) Windows PCs generally become less stable the longer they remain on and get more and more likely to crash or behave erratically (this does depend on the installed software though)
4) Computers are wasting a large amount of power overnight.
I appreciate this is off topic, but may be helpful in persuading a change in the login habits of your end users.
The only way to immediatly effect a removal of access would be to add a Deny entry into the ACL for the individual user account temporarily until they next log on (Deny ACEs override any access granted via other types of ACE). I wouldn't like to leave such entries in place for long though, as they can overly complicate access control settings.
BTW: CACLS is simply a command line method of setting permissions, otherwise it will take effect in the same manner of permissions set suing the GUI.
Sorry. Not the anwer you want I'm afraid.
ASKER
Thank you for your effort richencoo
I agree with everything you have said and at present (and past) have been attempting user education along those lines as well.
It might have been coincidental that Sync Mgr of NT forced the refresh of premissions, and not an expected process, however it has served well for the last 10 years for this purpose. So.. with that being said... I would hope 2K3 also has some feature that would do the same.
let me regress a bit and ask this:
set the share for everyone to do all 3
then set the NTFS per Group and potentially per user for personal folders.
Group already set for access (read/write..etc) on folder
Add User to Group
Ask User to Try open Folder (Directory), still comes up with error.
In reverse.. Seperate issue.. User already in group, Group already has access to Folder, User already Logged in, User already has access to files
Remove User from Group, Ask User to try to reopen.. User STILL has access.. that is unacceptable.. there must be a method, function, service that can be triggered to make these changes instantly effective across the domain.
I know we are talking of the same issue and this is a regressing, but I wanted to make clear that this were 2 seperate issues, but the same technique to solve both.
There was mention that, to look into the shares/sessions for that user, and if any shares in the session are open for that user, to close them, which may or may not force re-authentication... however, IF (big word here), 2K3 issues an Access Token with the SID, the User already has the key to then re-enter those same locations. Leaving me with the only alternative to FORCE the user to logoff. However, the User may have many other documents still open that are just fine and dandy to have access to... rather than finding a method to refresh and allow the user to continue about their day.
Any one ?
I agree with everything you have said and at present (and past) have been attempting user education along those lines as well.
It might have been coincidental that Sync Mgr of NT forced the refresh of premissions, and not an expected process, however it has served well for the last 10 years for this purpose. So.. with that being said... I would hope 2K3 also has some feature that would do the same.
let me regress a bit and ask this:
set the share for everyone to do all 3
then set the NTFS per Group and potentially per user for personal folders.
Group already set for access (read/write..etc) on folder
Add User to Group
Ask User to Try open Folder (Directory), still comes up with error.
In reverse.. Seperate issue.. User already in group, Group already has access to Folder, User already Logged in, User already has access to files
Remove User from Group, Ask User to try to reopen.. User STILL has access.. that is unacceptable.. there must be a method, function, service that can be triggered to make these changes instantly effective across the domain.
I know we are talking of the same issue and this is a regressing, but I wanted to make clear that this were 2 seperate issues, but the same technique to solve both.
There was mention that, to look into the shares/sessions for that user, and if any shares in the session are open for that user, to close them, which may or may not force re-authentication... however, IF (big word here), 2K3 issues an Access Token with the SID, the User already has the key to then re-enter those same locations. Leaving me with the only alternative to FORCE the user to logoff. However, the User may have many other documents still open that are just fine and dandy to have access to... rather than finding a method to refresh and allow the user to continue about their day.
Any one ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I agree. I was afraid of that. I had found the things regarding the Access Token before and knew that. if that was what was happening, then yes, the user would have to log our and re-login, and was hoping to avoid that.
But, I also agree with your solution, which as of this writting I have discovered about the same time, with your other options, which is to ADD the indivual to a specific directory or deny that person from a directory, then YES, it would take immediate effect.
So the plan is 2 fold, a bit of monkey work for me, which is, ADD individual to GROUP, then ADD user to Folder (with group already).
The User would then have immediate access to files, then within a weeks time, remove Individual user, since the group security would then be in effect of Users next login.
Again, I know this sounds like extra work, but, as mentioned above, this is how the Access Token works, and therefore, if I need a User to have immediate access, this is the ONLY mechnism to solve that, at present.
Thanks
But, I also agree with your solution, which as of this writting I have discovered about the same time, with your other options, which is to ADD the indivual to a specific directory or deny that person from a directory, then YES, it would take immediate effect.
So the plan is 2 fold, a bit of monkey work for me, which is, ADD individual to GROUP, then ADD user to Folder (with group already).
The User would then have immediate access to files, then within a weeks time, remove Individual user, since the group security would then be in effect of Users next login.
Again, I know this sounds like extra work, but, as mentioned above, this is how the Access Token works, and therefore, if I need a User to have immediate access, this is the ONLY mechnism to solve that, at present.
Thanks