Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

users in Domain Local group get "access denied" on shared folders

have major problem. For some reason, i discovered users in our Domain Local groups in a single domain got "access denied" when they tried to access folders on a member server that they should have full access to.


The sharing permission is set as: everyone, full control
the file/folder permission for this Domain Local group is set as: Modify

This member server used to be a DC, but has recently been demoted to member server.
0
PaperTiger
Asked:
PaperTiger
  • 7
  • 5
1 Solution
 
Henrik JohanssonSystems engineerCommented:
Are the users member of any group with explicit Deny permission? If so, that permission override the allow permission.

Check with setspn command that the server has the correct SPNs set.
Should include HOST/<computername> and HOST/<computername>.<dns-suffix>
0
 
PaperTigerAuthor Commented:
No, there's no deny permission. If I add the users instead of the domain local group, everything works fine.
0
 
PaperTigerAuthor Commented:
anybody?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
Henrik JohanssonSystems engineerCommented:
Did you check the ServicePrincipalName with setspn?
setspn -l servername
0
 
PaperTigerAuthor Commented:
what does the setspn do?
0
 
Henrik JohanssonSystems engineerCommented:
The command lists/modifies ServicePrincipalNames for users/computers
http://technet.microsoft.com/en-us/library/cc773257.aspx

A possibly reason for your problem is that the HOST/CIFS SPN doesn't match.
0
 
PaperTigerAuthor Commented:
is it true that the "domain local" type of security group can only be used on domain controller?
0
 
Henrik JohanssonSystems engineerCommented:
No, you can use DL groups on any machine in the local domain.

Did you check the SPNs for the server?
0
 
PaperTigerAuthor Commented:
Here's what I got:

C:\Program Files\Resource Kit>setspn -L MyDomainController
Registered ServicePrincipalNames for CN=MyDomainController,OU=Domain Controllers,DC=mycompany,DC=com:
    GC/MyDomainController.mycompany.com/mycompany.com
    LDAP/0a137aac-daec-48d3-8579-da4fb177000e._msdcs.mycompany.com
    LDAP/MyDomainController.mycompany.com/OldNTServer
    LDAP/MyDomainController
    LDAP/MyDomainController.mycompany.com
    LDAP/MyDomainController.mycompany.com/mycompany.com
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a137aac-daec-48d3-8579-da4fb177000e/mycompany.com
    SMTPSVC/MyDomainController
    SMTPSVC/MyDomainController.mycompany.com
    HOST/MyDomainController.mycompany.com/WED01
    HOST/MyDomainController.mycompany.com/mycompany.com
    DNS/MyDomainController.mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyDomainController.mycompany.com

    HOST/MyDomainController
    HOST/MyDomainController.mycompany.com

C:\Program Files\Resource Kit>
0
 
Henrik JohanssonSystems engineerCommented:
As you stated that the server has been demoted and isn't DC anymore, remove all unnecessary SPNs with GC and LDAP
setspn -D LDAP/<servername>.mycompany.com
Reset host-SPN: setspn -R <servername>
0
 
PaperTigerAuthor Commented:
sorry, the above was run on my DC. here's the result from the member server which was demoted from a DC:

C:\Program Files\Resource Kit>setspn -L MyMemberServer
Registered ServicePrincipalNames for CN=MyMemberServer,CN=Computers,DC=mycompany
,DC=com:
    SMTPSVC/MyMemberServer
    SMTPSVC/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com/mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyMemberServer.mycompany.com
    DNS/MyMemberServer.mycompany.com

C:\Program Files\Resource Kit>
0
 
oBdACommented:
Domain local groups can *only* be used on member servers if the domain functional level is at least Windows 2000 native; they can NOT be used in mixed mode or Server 2003 interim.
If this worked while the machine was still a DC, then I suspect that your domain is still running in mixed or interim mode.
If you don't have NT4 *DCs* anymore, you can safely upgrade to native.
if you don't have W2k *DCs* anymore, and don't plan to ever introduce any, you can upgrade to full W2k3 functional level.
Member servers are NOT affected by a change in the funcitonal level.
Check here for details:
How to raise domain and forest functional levels in Windows Server 2003
http://support.microsoft.com/kb/322692
0
 
PaperTigerAuthor Commented:
Thank you. i think this is probably why. i am going to try once i upgrade to Win 2000 native mode.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now