Group permissions

I have a SBS2003 server.  I recently noticed that new security groups added to the server require a reboot of the server before their NTFS permissions work.   Example:

I create a share called "Share".  The share permissions are set for Everyone - full control.  I set the NTFS permissions to allow full control of the folder to the "Group" group.  I add members to the group and attempt to access the folder via an account that I added as a member.  I get access denied.   If I look at the effective permissions, it tells me that the user account has full access. A reboot of the server seems to fix the issue.

This seems oddly similar the a bug in SBS2003 where the RUS was not working and newly created mailboxes would not be available until a reboot.  SP1 fixed that issue if I recall...

Any thoughts?

hmmfeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MessHallManCommented:
Any time you add additional members to a group, the end user will need to logout and back in prior to the permissions working.  The end user has already picked up their security identifier when they signed into their workstation and authenicated and would not pick up the new group security info until the end user signs in again.
0
hmmfeAuthor Commented:
Right.  But the only thing that seems to help is a reboot of the server itself.  Reboots of the client do not seem to work.
0
mattridingsCommented:
As MessHallMan stated group membership for a user is only evaluated at logon (whereas group membership of a computer is evaluated at startup).

It's possible that for some reason your clients are caching their credentials and not being re-evaluated at logon.

Check your server Event Viewer and see if you have any issues related to Userenv , etc.  Could be an issue with spotty or slow recognition of the domain controller at logon, in which case they are simply using their cached credentials.  A server reboot on the other is probably shocking the network such that they then recognize it due to all the 'Master Browser' requests getting flooded onto the net at that point.

Matt Ridings
MSR Consulting
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
What you are referring to regarding RUS was: http://support.microsoft.com/kb/837444 which was an issue with EXCHANGE not Server 2003 or SBS 2003.

I would wonder... you say you are adding the "GROUP" to NTFS permissions and then adding members to that group afterwards... what happens if you add members to a particular security group prior to giving that group full access permissions on your share?  Does that change the situation?  (Of course, a user would still have to log off and back on to get the proper permissions).

Jeff
TechSoEasy
0
hmmfeAuthor Commented:
Only reason I brought up the RUS issue was that this seems oddly similar... not really on point but strange nonetheless.  I had not encountered that issue with RUS and exchange. It seemed to only effect my SBS customers.  Oh, well.

It really does not matter - my example above was meant to be a general description not necessarily the exact order of execution.  I've tried all combinations., however. The only thing that seems to "activate", so to speak, the addition of the group is to reboot the server.  Strange thing is that the effictive permissions tool does show proper permissions for the group and members of the group.

Matt:  No unusual things in the event log.  I had thought about people rebooting and using cached credentials but that does not seem to be it.

I am about to just let this one go as this particular customer almost never adds security groups and I can just time additions with patching, etc.


0
mattridingsCommented:
The application of permissions is a pretty straightforward heirarchy in win 2003.  There's no question of how it works, just a question of why your clients aren't picking them up.

Just to satiate curiosity you might make the changes, not reboot the server, and see how long (if ever I guess) it takes for the clients to pick up the changes.  The resultant information might assist in narrowing down a trigger.  Not so important in this instance if your client rarely makes group permission changes but this situation might get more important because it's likely that its also effecting broader sync issues like group policies, etc. that you might one day need to apply as expected.

Matt Ridings
MSR Consulting
0
hmmfeAuthor Commented:
Matt:  No doubt.  I am sure this issue will come back to bite me in the arse.   I am running just sort of a test over the weekend.  We'll see Monday AM whether permissions are working correctly then.

Thanks for all the suggestions and sanity check to make sure I was not just doing something stupid.

0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
hmmfe...

A couple of questions that could help to straighten this out.

Are all of the users in the default OU?  MyBusiness > Users > SBSUsers?

Are all of the Security Groups that you are creating in the default OU?  MyBusiness > Security Groups ?
(If you use the add-security-group wizard from Server Management Console > Security Groups, they will be placed in the default OU automatically).

Jeff
TechSoEasy
0
hmmfeAuthor Commented:
Yeah, both the users and the groups are in the default OU.  I am done for now with this issue, but wanted to thank all for the responses.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.