Solved

users in Domain Local group get "access denied" on shared folders

Posted on 2008-10-01
15
536 Views
Last Modified: 2013-12-05
have major problem. For some reason, i discovered users in our Domain Local groups in a single domain got "access denied" when they tried to access folders on a member server that they should have full access to.


The sharing permission is set as: everyone, full control
the file/folder permission for this Domain Local group is set as: Modify

This member server used to be a DC, but has recently been demoted to member server.
0
Comment
Question by:PaperTiger
  • 7
  • 5
15 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619744
Are the users member of any group with explicit Deny permission? If so, that permission override the allow permission.

Check with setspn command that the server has the correct SPNs set.
Should include HOST/<computername> and HOST/<computername>.<dns-suffix>
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22620085
No, there's no deny permission. If I add the users instead of the domain local group, everything works fine.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22722122
anybody?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22722171
Did you check the ServicePrincipalName with setspn?
setspn -l servername
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22724931
what does the setspn do?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22725077
The command lists/modifies ServicePrincipalNames for users/computers
http://technet.microsoft.com/en-us/library/cc773257.aspx

A possibly reason for your problem is that the HOST/CIFS SPN doesn't match.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22781035
is it true that the "domain local" type of security group can only be used on domain controller?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22804799
No, you can use DL groups on any machine in the local domain.

Did you check the SPNs for the server?
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22812795
Here's what I got:

C:\Program Files\Resource Kit>setspn -L MyDomainController
Registered ServicePrincipalNames for CN=MyDomainController,OU=Domain Controllers,DC=mycompany,DC=com:
    GC/MyDomainController.mycompany.com/mycompany.com
    LDAP/0a137aac-daec-48d3-8579-da4fb177000e._msdcs.mycompany.com
    LDAP/MyDomainController.mycompany.com/OldNTServer
    LDAP/MyDomainController
    LDAP/MyDomainController.mycompany.com
    LDAP/MyDomainController.mycompany.com/mycompany.com
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a137aac-daec-48d3-8579-da4fb177000e/mycompany.com
    SMTPSVC/MyDomainController
    SMTPSVC/MyDomainController.mycompany.com
    HOST/MyDomainController.mycompany.com/WED01
    HOST/MyDomainController.mycompany.com/mycompany.com
    DNS/MyDomainController.mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyDomainController.mycompany.com

    HOST/MyDomainController
    HOST/MyDomainController.mycompany.com

C:\Program Files\Resource Kit>
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22815282
As you stated that the server has been demoted and isn't DC anymore, remove all unnecessary SPNs with GC and LDAP
setspn -D LDAP/<servername>.mycompany.com
Reset host-SPN: setspn -R <servername>
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22815504
sorry, the above was run on my DC. here's the result from the member server which was demoted from a DC:

C:\Program Files\Resource Kit>setspn -L MyMemberServer
Registered ServicePrincipalNames for CN=MyMemberServer,CN=Computers,DC=mycompany
,DC=com:
    SMTPSVC/MyMemberServer
    SMTPSVC/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com/mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyMemberServer.mycompany.com
    DNS/MyMemberServer.mycompany.com

C:\Program Files\Resource Kit>
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 24166471
Domain local groups can *only* be used on member servers if the domain functional level is at least Windows 2000 native; they can NOT be used in mixed mode or Server 2003 interim.
If this worked while the machine was still a DC, then I suspect that your domain is still running in mixed or interim mode.
If you don't have NT4 *DCs* anymore, you can safely upgrade to native.
if you don't have W2k *DCs* anymore, and don't plan to ever introduce any, you can upgrade to full W2k3 functional level.
Member servers are NOT affected by a change in the funcitonal level.
Check here for details:
How to raise domain and forest functional levels in Windows Server 2003
http://support.microsoft.com/kb/322692
0
 
LVL 8

Author Closing Comment

by:PaperTiger
ID: 31502184
Thank you. i think this is probably why. i am going to try once i upgrade to Win 2000 native mode.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question