Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Group permissions

Posted on 2006-04-14
9
Medium Priority
?
452 Views
Last Modified: 2010-04-19
I have a SBS2003 server.  I recently noticed that new security groups added to the server require a reboot of the server before their NTFS permissions work.   Example:

I create a share called "Share".  The share permissions are set for Everyone - full control.  I set the NTFS permissions to allow full control of the folder to the "Group" group.  I add members to the group and attempt to access the folder via an account that I added as a member.  I get access denied.   If I look at the effective permissions, it tells me that the user account has full access. A reboot of the server seems to fix the issue.

This seems oddly similar the a bug in SBS2003 where the RUS was not working and newly created mailboxes would not be available until a reboot.  SP1 fixed that issue if I recall...

Any thoughts?

0
Comment
Question by:hmmfe
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 7

Expert Comment

by:MessHallMan
ID: 16456743
Any time you add additional members to a group, the end user will need to logout and back in prior to the permissions working.  The end user has already picked up their security identifier when they signed into their workstation and authenicated and would not pick up the new group security info until the end user signs in again.
0
 

Author Comment

by:hmmfe
ID: 16456806
Right.  But the only thing that seems to help is a reboot of the server itself.  Reboots of the client do not seem to work.
0
 
LVL 4

Accepted Solution

by:
mattridings earned 225 total points
ID: 16457303
As MessHallMan stated group membership for a user is only evaluated at logon (whereas group membership of a computer is evaluated at startup).

It's possible that for some reason your clients are caching their credentials and not being re-evaluated at logon.

Check your server Event Viewer and see if you have any issues related to Userenv , etc.  Could be an issue with spotty or slow recognition of the domain controller at logon, in which case they are simply using their cached credentials.  A server reboot on the other is probably shocking the network such that they then recognize it due to all the 'Master Browser' requests getting flooded onto the net at that point.

Matt Ridings
MSR Consulting
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16459618
What you are referring to regarding RUS was: http://support.microsoft.com/kb/837444 which was an issue with EXCHANGE not Server 2003 or SBS 2003.

I would wonder... you say you are adding the "GROUP" to NTFS permissions and then adding members to that group afterwards... what happens if you add members to a particular security group prior to giving that group full access permissions on your share?  Does that change the situation?  (Of course, a user would still have to log off and back on to get the proper permissions).

Jeff
TechSoEasy
0
 

Author Comment

by:hmmfe
ID: 16460929
Only reason I brought up the RUS issue was that this seems oddly similar... not really on point but strange nonetheless.  I had not encountered that issue with RUS and exchange. It seemed to only effect my SBS customers.  Oh, well.

It really does not matter - my example above was meant to be a general description not necessarily the exact order of execution.  I've tried all combinations., however. The only thing that seems to "activate", so to speak, the addition of the group is to reboot the server.  Strange thing is that the effictive permissions tool does show proper permissions for the group and members of the group.

Matt:  No unusual things in the event log.  I had thought about people rebooting and using cached credentials but that does not seem to be it.

I am about to just let this one go as this particular customer almost never adds security groups and I can just time additions with patching, etc.


0
 
LVL 4

Expert Comment

by:mattridings
ID: 16460952
The application of permissions is a pretty straightforward heirarchy in win 2003.  There's no question of how it works, just a question of why your clients aren't picking them up.

Just to satiate curiosity you might make the changes, not reboot the server, and see how long (if ever I guess) it takes for the clients to pick up the changes.  The resultant information might assist in narrowing down a trigger.  Not so important in this instance if your client rarely makes group permission changes but this situation might get more important because it's likely that its also effecting broader sync issues like group policies, etc. that you might one day need to apply as expected.

Matt Ridings
MSR Consulting
0
 

Author Comment

by:hmmfe
ID: 16460972
Matt:  No doubt.  I am sure this issue will come back to bite me in the arse.   I am running just sort of a test over the weekend.  We'll see Monday AM whether permissions are working correctly then.

Thanks for all the suggestions and sanity check to make sure I was not just doing something stupid.

0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 150 total points
ID: 16462129
hmmfe...

A couple of questions that could help to straighten this out.

Are all of the users in the default OU?  MyBusiness > Users > SBSUsers?

Are all of the Security Groups that you are creating in the default OU?  MyBusiness > Security Groups ?
(If you use the add-security-group wizard from Server Management Console > Security Groups, they will be placed in the default OU automatically).

Jeff
TechSoEasy
0
 

Author Comment

by:hmmfe
ID: 16582603
Yeah, both the users and the groups are in the default OU.  I am done for now with this issue, but wanted to thank all for the responses.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Loops Section Overview
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses
Course of the Month15 days, 5 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question