Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Why does rights come into effect after logging off & on.

Posted on 2005-03-17
6
Medium Priority
?
205 Views
Last Modified: 2013-12-04
Windows 2000 fileshare SP4
Client on XP and Win2K

I have a test file share on a Win2K server. Very standard and rights to this folder are goverened by a group membership and the group is given rights to the folder.

Now, if I add my AD account to the group, nothing happens or at least doesn't happen for a very very long time.

The crux of the matter is that I've found that if I logoff and back on the effects on being a member of this group are immediate! Also, if I add my user account to the folder security rights, the effects are immediate. It's only when adding / removing the same account to the filesecurity group that I have this lag.

Does anyone know why this is? Replication between DC's on same site occurs every 20 mins. I've performed Secedit / GPupdates on all policies. I've forced replication to see if that is the issue. No replication issues.

This is driving me nuts hence the points.

Thanks

0
Comment
Question by:hotsox
  • 4
  • 2
6 Comments
 
LVL 58

Expert Comment

by:Pete Long
ID: 13563096
>>I've found that if I logoff and back on the effects on being a member of this group are immediate!

this is default behavior - you dont get access to a resources ACL untill your user object has rebooted or logged off and logged on :)
0
 
LVL 58

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 13563112
NTFS 5.0 in Windows 2000 stores an ACL with every file and folder on the NTFS partition or volume. The ACL includes all the users and groups that have access to the file or folder. In addition, it indicates what access or specifically what permissions each user or group is allowed to that file or folder. Then, whenever a user makes an attempt to access a file or folder on an NTFS partition or volume, the ACL checks for an ACE (Access Control Entry) for that user account. The ACE will indicate what permissions are allowed for that user account. The user is granted access to that file or folder, provided that the access requested is defined within the ACE. In other words, when user wants to read a file, the Access Control Entry is checked in that file's Access Control List. If the Access Control Entry for that user contains the Read permission, the user is granted access to read that file.
Consider the same user/helpdesk situation discussed earlier. When the support person makes the change to the permissions on the file the user needs access to, the change is immediately saved in that file's ACL. The user can then access the file without having to log out and back in.

This is only the case when assigning permissions to users for file or folder resources. When a user is added to a group to gain access to additional resources or otherwise, the user must log out and back in to access those resources. That is because NTFS permissions granted to groups are read in a different manner. For a more in- depth look at groups and group policies see Chapter 15, "Using Groups" and Chapter 16, "Understanding Group Policy."
http://www.windowsitlibrary.com/Content/592/1.html
0
 

Author Comment

by:hotsox
ID: 13563181
Thanks for the excellent info. So if group membership NTFS permissions are read differently by the ACL then and as you say that group membership rights only come into effect for the user only after logging off and on then I assume there’s an inherent flaw in securing a file share, for example you wanted to remove a user quickly from having rights to a sensitive share then unless the support staff run to the user’s workstation and log them off and on then they’ll potentially always have rights if they never log off and on?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 58

Expert Comment

by:Pete Long
ID: 13563220
>> I assume there’s an inherent flaw in securing a file share, for example you wanted to remove a user quickly from having rights to a sensitive share then unless the support staff run to the user’s workstation and log them off and on then they’ll potentially always have rights if they never log off and on?


Well sort off - BUT if you wanted to "remove a user quickly from having rights to a sensitive share " then you would DENY access for that user, then group membership doesnt matter :) DENY over-rides everything and user rights are apllied instantly so they can get in (with or without a reboot :)

Pete
0
 

Author Comment

by:hotsox
ID: 13563365
That’s right. I forgot about that and know an implicit deny rules over all.

Thanks for the link. I needed a refresh on basic NTFS permissioning (as you can tell ;-) )

All’s well that ends well

h.
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 13563414
no probs Glad I could Help

ThanQ
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question