?
Solved

Why does rights come into effect after logging off & on.

Posted on 2005-03-17
6
Medium Priority
?
200 Views
Last Modified: 2013-12-04
Windows 2000 fileshare SP4
Client on XP and Win2K

I have a test file share on a Win2K server. Very standard and rights to this folder are goverened by a group membership and the group is given rights to the folder.

Now, if I add my AD account to the group, nothing happens or at least doesn't happen for a very very long time.

The crux of the matter is that I've found that if I logoff and back on the effects on being a member of this group are immediate! Also, if I add my user account to the folder security rights, the effects are immediate. It's only when adding / removing the same account to the filesecurity group that I have this lag.

Does anyone know why this is? Replication between DC's on same site occurs every 20 mins. I've performed Secedit / GPupdates on all policies. I've forced replication to see if that is the issue. No replication issues.

This is driving me nuts hence the points.

Thanks

0
Comment
Question by:hotsox
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 13563096
>>I've found that if I logoff and back on the effects on being a member of this group are immediate!

this is default behavior - you dont get access to a resources ACL untill your user object has rebooted or logged off and logged on :)
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 13563112
NTFS 5.0 in Windows 2000 stores an ACL with every file and folder on the NTFS partition or volume. The ACL includes all the users and groups that have access to the file or folder. In addition, it indicates what access or specifically what permissions each user or group is allowed to that file or folder. Then, whenever a user makes an attempt to access a file or folder on an NTFS partition or volume, the ACL checks for an ACE (Access Control Entry) for that user account. The ACE will indicate what permissions are allowed for that user account. The user is granted access to that file or folder, provided that the access requested is defined within the ACE. In other words, when user wants to read a file, the Access Control Entry is checked in that file's Access Control List. If the Access Control Entry for that user contains the Read permission, the user is granted access to read that file.
Consider the same user/helpdesk situation discussed earlier. When the support person makes the change to the permissions on the file the user needs access to, the change is immediately saved in that file's ACL. The user can then access the file without having to log out and back in.

This is only the case when assigning permissions to users for file or folder resources. When a user is added to a group to gain access to additional resources or otherwise, the user must log out and back in to access those resources. That is because NTFS permissions granted to groups are read in a different manner. For a more in- depth look at groups and group policies see Chapter 15, "Using Groups" and Chapter 16, "Understanding Group Policy."
http://www.windowsitlibrary.com/Content/592/1.html
0
 

Author Comment

by:hotsox
ID: 13563181
Thanks for the excellent info. So if group membership NTFS permissions are read differently by the ACL then and as you say that group membership rights only come into effect for the user only after logging off and on then I assume there’s an inherent flaw in securing a file share, for example you wanted to remove a user quickly from having rights to a sensitive share then unless the support staff run to the user’s workstation and log them off and on then they’ll potentially always have rights if they never log off and on?
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 57

Expert Comment

by:Pete Long
ID: 13563220
>> I assume there’s an inherent flaw in securing a file share, for example you wanted to remove a user quickly from having rights to a sensitive share then unless the support staff run to the user’s workstation and log them off and on then they’ll potentially always have rights if they never log off and on?


Well sort off - BUT if you wanted to "remove a user quickly from having rights to a sensitive share " then you would DENY access for that user, then group membership doesnt matter :) DENY over-rides everything and user rights are apllied instantly so they can get in (with or without a reboot :)

Pete
0
 

Author Comment

by:hotsox
ID: 13563365
That’s right. I forgot about that and know an implicit deny rules over all.

Thanks for the link. I needed a refresh on basic NTFS permissioning (as you can tell ;-) )

All’s well that ends well

h.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13563414
no probs Glad I could Help

ThanQ
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question