Solved

Permissions have been granted to folder, but user gets deny message

Posted on 2008-10-07
11
293 Views
Last Modified: 2012-05-05
I have a user who was added to a global group, which is a member of a universal group which is in a DL group which is granted RW permissions to a folder. Only AD is involved so there is no conflict from NTFS or other system. When the user tries to save a file, he is denied. However, when I tested the user on another machine, it worked like it should. Any ideas of why permissions are not working right? user has rebooted after being added to AD group.
0
Comment
Question by:geriatricgeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 32

Expert Comment

by:Daniel Wilson
ID: 22662579
>>Only AD is involved so there is no conflict from NTFS or other system

NTFS would also use the AD group structure for its permissions.  You need to verify both the share-level and the file level permissions..
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 22662606
There is no NTFS involved. There are other folders on the same level and the user can get into those as permissions permit. The permissions are not inherited.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22662618
Perhaps after the reboot, when the user logged on, the computer logged in with cached credentials because it didn't finish booting.

Have the user log out of the first computer (not reboot, just log out), and then logon again and test.

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 32

Expert Comment

by:Daniel Wilson
ID: 22662686
>>There is no NTFS involved.

So what file system are you using?  Fat32?
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 22662716
NTFS. i guess what i'm trying to say is that only AD is involved in the permission structure. There would not be permissions or rights from novell or anything like that. I guess i made it more confusing adding that.
0
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 500 total points
ID: 22662829
OK, sorry I misunderstood.  I thought by NTFS you meant NT File System.  I never got into Novell enough to know there acronyms.

Both share permissions and file system permissions are important, however.

Have you checked both?



permissions.GIF
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 22662954
The share is one level up. I have spent hours on the security tab with the permissions. I have gone through group structure until I got blue in the face. I just tried another user to see if he could get into the folder to create a new folder and he could. the first user tried the same thing, and got permission denied. They are users who are members of the same global group, and then the universal groups and domain local goups would be the same via membership in the global group. what I can't figure out is why it will work for one and not the other. I have been beating at the same folder permissions for hours. and like I said, it is through the same groups. I'm frustrated with it because the only variable that should have happened is adding the user to the global group that other users have been fine with getting into.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22663020
Make sure the user with the problem isn't in a group or  that has the DENY permission set as that will take precedence.  Also make sure that user is explicitly defined with DENY.

Didn't you earlier say it was working for that user from a different computer?

If that is the case, it isn't the permissions on the server.  It has to do with the credentials passed to the user.  Did you try having them log off and back on again, without rebooting?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22663026
"Also make sure that user is explicitly defined with DENY"

should read:

"Also make sure that user is NOT explicitly defined with DENY"
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 22663324
I checked for deny permissions. there weren't any. they aren't used here, but I did make sure. I tested the user on 2 different pc's. one worked and 2 did not. same network segment, same domain, same location, et al. I did get the idea of looking at the profile. of course the computer that the permissions did work on does not have the power of the software to swap.
0
 
LVL 1

Author Closing Comment

by:geriatricgeek
ID: 31503962
got er working.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question