Solved

users in Domain Local group get "access denied" on shared folders

Posted on 2008-10-01
15
546 Views
Last Modified: 2013-12-05
have major problem. For some reason, i discovered users in our Domain Local groups in a single domain got "access denied" when they tried to access folders on a member server that they should have full access to.


The sharing permission is set as: everyone, full control
the file/folder permission for this Domain Local group is set as: Modify

This member server used to be a DC, but has recently been demoted to member server.
0
Comment
Question by:PaperTiger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
15 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619744
Are the users member of any group with explicit Deny permission? If so, that permission override the allow permission.

Check with setspn command that the server has the correct SPNs set.
Should include HOST/<computername> and HOST/<computername>.<dns-suffix>
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22620085
No, there's no deny permission. If I add the users instead of the domain local group, everything works fine.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22722122
anybody?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22722171
Did you check the ServicePrincipalName with setspn?
setspn -l servername
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22724931
what does the setspn do?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22725077
The command lists/modifies ServicePrincipalNames for users/computers
http://technet.microsoft.com/en-us/library/cc773257.aspx

A possibly reason for your problem is that the HOST/CIFS SPN doesn't match.
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22781035
is it true that the "domain local" type of security group can only be used on domain controller?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22804799
No, you can use DL groups on any machine in the local domain.

Did you check the SPNs for the server?
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22812795
Here's what I got:

C:\Program Files\Resource Kit>setspn -L MyDomainController
Registered ServicePrincipalNames for CN=MyDomainController,OU=Domain Controllers,DC=mycompany,DC=com:
    GC/MyDomainController.mycompany.com/mycompany.com
    LDAP/0a137aac-daec-48d3-8579-da4fb177000e._msdcs.mycompany.com
    LDAP/MyDomainController.mycompany.com/OldNTServer
    LDAP/MyDomainController
    LDAP/MyDomainController.mycompany.com
    LDAP/MyDomainController.mycompany.com/mycompany.com
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/0a137aac-daec-48d3-8579-da4fb177000e/mycompany.com
    SMTPSVC/MyDomainController
    SMTPSVC/MyDomainController.mycompany.com
    HOST/MyDomainController.mycompany.com/WED01
    HOST/MyDomainController.mycompany.com/mycompany.com
    DNS/MyDomainController.mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyDomainController.mycompany.com

    HOST/MyDomainController
    HOST/MyDomainController.mycompany.com

C:\Program Files\Resource Kit>
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22815282
As you stated that the server has been demoted and isn't DC anymore, remove all unnecessary SPNs with GC and LDAP
setspn -D LDAP/<servername>.mycompany.com
Reset host-SPN: setspn -R <servername>
0
 
LVL 8

Author Comment

by:PaperTiger
ID: 22815504
sorry, the above was run on my DC. here's the result from the member server which was demoted from a DC:

C:\Program Files\Resource Kit>setspn -L MyMemberServer
Registered ServicePrincipalNames for CN=MyMemberServer,CN=Computers,DC=mycompany
,DC=com:
    SMTPSVC/MyMemberServer
    SMTPSVC/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer
    HOST/MyMemberServer.mycompany.com
    HOST/MyMemberServer.mycompany.com/mycompany.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MyMemberServer.mycompany.com
    DNS/MyMemberServer.mycompany.com

C:\Program Files\Resource Kit>
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 24166471
Domain local groups can *only* be used on member servers if the domain functional level is at least Windows 2000 native; they can NOT be used in mixed mode or Server 2003 interim.
If this worked while the machine was still a DC, then I suspect that your domain is still running in mixed or interim mode.
If you don't have NT4 *DCs* anymore, you can safely upgrade to native.
if you don't have W2k *DCs* anymore, and don't plan to ever introduce any, you can upgrade to full W2k3 functional level.
Member servers are NOT affected by a change in the funcitonal level.
Check here for details:
How to raise domain and forest functional levels in Windows Server 2003
http://support.microsoft.com/kb/322692
0
 
LVL 8

Author Closing Comment

by:PaperTiger
ID: 31502184
Thank you. i think this is probably why. i am going to try once i upgrade to Win 2000 native mode.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question