Solved

users in Domain Local group get "access denied" on shared folders

Posted on 2008-10-01
15
518 Views
Last Modified: 2013-12-05
have major problem. For some reason, i discovered users in our Domain Local groups in a single domain got "access denied" when they tried to access folders on a member server that they should have full access to.


The sharing permission is set as: everyone, full control
the file/folder permission for this Domain Local group is set as: Modify

This member server used to be a DC, but has recently been demoted to member server.
0
Comment
Question by:PaperTiger
  • 7
  • 5
15 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619744
Are the users member of any group with explicit Deny permission? If so, that permission override the allow permission.

Check with setspn command that the server has the correct SPNs set.
Should include HOST/<computername> and HOST/<computername>.<dns-suffix>
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22620085
No, there's no deny permission. If I add the users instead of the domain local group, everything works fine.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22722122
anybody?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22722171
Did you check the ServicePrincipalName with setspn?
setspn -l servername
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22724931
what does the setspn do?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22725077
The command lists/modifies ServicePrincipalNames for users/computers
http://technet.microsoft.com/en-us/library/cc773257.aspx

A possibly reason for your problem is that the HOST/CIFS SPN doesn't match.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 8

Author Comment

by:PaperTiger
ID: 22781035
is it true that the "domain local" type of security group can only be used on domain controller?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22804799
No, you can use DL groups on any machine in the local domain.

Did you check the SPNs for the server?
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22812795
Here's what I got:

C:\Program Files\Resource Kit>setspn -L MyDomainController
Registered ServicePrincipalNames for CN=MyDomainController,OU=Domain Controllers,DC=mycompany,DC=com:
    GC/MyDomainController.mycompany.com/mycompany.com
    LDAP/0a137aac-daec-48d3-8579-da4fb177000e._msdcs.mycompany.com
    LDAP/MyDomainController.mycompany.com/OldNTServer
    LDAP/MyDomainController
    LDAP/MyDomainController.mycompany.com
    LDAP/MyDomainController.mycompany.com/mycompany.com
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a137aac-daec-48d3-8579-da4fb177000e/mycompany.com
    SMTPSVC/MyDomainController
    SMTPSVC/MyDomainController.mycompany.com
    HOST/MyDomainController.mycompany.com/WED01
    HOST/MyDomainController.mycompany.com/mycompany.com
    DNS/MyDomainController.mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyDomainController.mycompany.com

    HOST/MyDomainController
    HOST/MyDomainController.mycompany.com

C:\Program Files\Resource Kit>
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22815282
As you stated that the server has been demoted and isn't DC anymore, remove all unnecessary SPNs with GC and LDAP
setspn -D LDAP/<servername>.mycompany.com
Reset host-SPN: setspn -R <servername>
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22815504
sorry, the above was run on my DC. here's the result from the member server which was demoted from a DC:

C:\Program Files\Resource Kit>setspn -L MyMemberServer
Registered ServicePrincipalNames for CN=MyMemberServer,CN=Computers,DC=mycompany
,DC=com:
    SMTPSVC/MyMemberServer
    SMTPSVC/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com/mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyMemberServer.mycompany.com
    DNS/MyMemberServer.mycompany.com

C:\Program Files\Resource Kit>
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24166471
Domain local groups can *only* be used on member servers if the domain functional level is at least Windows 2000 native; they can NOT be used in mixed mode or Server 2003 interim.
If this worked while the machine was still a DC, then I suspect that your domain is still running in mixed or interim mode.
If you don't have NT4 *DCs* anymore, you can safely upgrade to native.
if you don't have W2k *DCs* anymore, and don't plan to ever introduce any, you can upgrade to full W2k3 functional level.
Member servers are NOT affected by a change in the funcitonal level.
Check here for details:
How to raise domain and forest functional levels in Windows Server 2003
http://support.microsoft.com/kb/322692
0
 
LVL 8

Author Closing Comment

by:PaperTiger
ID: 31502184
Thank you. i think this is probably why. i am going to try once i upgrade to Win 2000 native mode.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Suggested Solutions

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now