Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1703
  • Last Modified:

XP aware of NTFS permission change without logging off

I have a standard W2K3 domain set up with shared folders.

Users are running XP Pro, and often have a shared folder mapped to a network drive.

If a user doesn't have access to a particular folder and requires it, i'll add them to the group with relevant permissions on that folder.

After adding user to the new group, users can't access the shared folder until..
a) they log off and back on again
b) wait a little while... (not sure exactly,..  15 mins maybe?)

Is there anything i can do on either the client or the server to force the XP machine to be aware that the user/group permission has changed?  Preferable one which doesn't involve (a) or (b)

0
Sc0tte
Asked:
Sc0tte
1 Solution
 
dhoffman_98Commented:
I'm not sure that B is really going to make a difference unless you have some GPO that is making changes... but in general making a change to group membership means that the user's Kerberos token will change. This token contains the user's security information, including group membership information. The security token is called each time you attempt to access a privileged resource and if the token has the appropriate information your access will be granted or denied.

The trick is this... the Kerberos token is generated at login time... thus the need for a user to log out and log in again.
0
 
SagiEDocCommented:
dhoffman_98 is spot on, however the reason option B also works is because of replication, a call is made to AD on a deny to verify Group membership (in case changes have been made) it will work at this point because AD is fully replicated and able to confirm membership. To answer your question there is no other way to get this process over with out using option A or B. What you could do is force a replication, but to do this after each group membership update will be frustrating, rather just wait out the 15 minutes or reboot.
0
 
http:// thevpn.guruCommented:
try
gpupdate /force
0
 
dhoffman_98Commented:
The original question said nothing about GPOs. So what is gpupdate going to do? It does nothing for refreshing the token or NTFS permissions.
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now