Windows 2003 File Share Issue

Posted on 2010-01-13
Medium Priority
Last Modified: 2012-05-08

I have an issues with a domain controller and a fileshare.

Currently the setup is as follows.

D:\Shares\Test Share

Is shared and has Everyone set to Full Access

This can be accessed and works fine when a user is added to the the file permissions for read / write etc..

However when doing the following access is denied.

Remove UserA from the file permissions
Create a Group.
Add UserA to the group.
Add The Group for full access to the file permissions on the shared folder.

The user cannot access the file share.

However when i do the exact same actions on the 2nd domain controller on the domain it works perfectly fine.
This will of course happen for all users / machines on the network for all file shares on the first server and not for any on the 2nd server.
I have compared the directory's above the fileshare and between the 2 computer i am not able to spot any difference in any permissions.
I have also compared the group policy settings between the 2 domains controllers and all appear to exactly the same. they also exist in the same OU.

Can anyone shed some light on this why the file share can be accessed when they are added to the folder permissions. But cannot when they are a member of a group which is added to the file permissions in exactly the same way.

PS. This is a hard one. Its had me stumped for months.

Question by:Mistralol
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 26304092
Is the group you made through active directory?


Author Comment

ID: 26304114

Of course. It fails with both Universal and Global groups


Accepted Solution

Red-King earned 2000 total points
ID: 26304687
Hi Mistralol,

Just to be sure we're on the same page, there are 2 sets of permissions.
The first is the Share permissions. Share permissions are only broken down into Full Access, Read and Write.
The second is the NTFS permissions. NTFS permissions are broken down into many more categories e.g. Full Access, Modify, Read & Execute, List Folder Contents etc.

From what I've understood, you have a file share with Share permissions of Full Access for the Everyone group (which is the standard thing to do). You've then edited the NTFS permissions to give UserA read/write permissions. This works.

You then remove UserA from the NTFS permissions and add them to GroupA. When you give GroupA the same read/write NTFS permissions as you had given UserA, UserA cannot access the file share.

What is the error message that windows pops up? Is it a permission denied error?

First thing to try is to add UserA to the NTFS permissions with read/write access. This should work.
Now open the folder properties and click the security tab for the NTFS permissions. Once on this page click the Advanced button down the bottom which will bring up a new dialog box. Click the rightmost tab, "Effective Permissions". Click the Select button and locate UserA, hit OK. Take a note, or screen shot of the listed permissions.

Secondly, Remove UserA from the NTFS permissions. Add the user to GroupA and add GroupA to the NTFS permissions as you would normally.
Again go to the advanced page and the Effective Permissions tab. Locate UserA and take a note or screenshot of the permissions. Also locate GroupA and note/screenshot the permissions.

You should now have three lists of permissions;
UserA added directly
UserA added through GroupA
GroupA added directly

Compare them for differences to see where the difference in permissions is being applied.

The next step is to check what group policies are being applied. You'll do this when the user is added to the group and when they are not in the group.

At the AD Users and Computers snap-in remove UserA from GroupA
Log on to a computer using UserA's credentials.
Open a command prompt and type in the command gpresult
Take a copy of the output.
Shut down the PC

Add UserA to GroupA
Log on to the same computer using UserA's credentials
Open a command prompt and type in the command gpresult
Take a copy of the output.

You should now have a two outputs from the gpresult command (gpresult needs some switches after the command in versions of windows after XP).
Compare the 2 and see if there are any different group policies applied on the 2 occasions.
If there are extra policies applied on the second gpresult output then examine these extra policies for settings that might be effecting the group permissions.

Another avenue of investigation is to log into both file servers and run a gpresult on both of them to see if there are different computer policies being applied to the servers.

Let us know how you get on with that.

Expert Comment

ID: 26311091
Is your Infrastructure Master a GC?  Group lookups can fail like this if the Infrastructure Master FSMO holder is made a global catalog server unless all the other domain controllers are also GCs.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are and 192…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month9 days, 8 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question