Windows 2003 File Share Issue

I have an issues with a domain controller and a fileshare.

Currently the setup is as follows.

D:\Shares\Test Share

Is shared and has Everyone set to Full Access

This can be accessed and works fine when a user is added to the the file permissions for read / write etc..

However when doing the following access is denied.

Remove UserA from the file permissions
Create a Group.
Add UserA to the group.
Add The Group for full access to the file permissions on the shared folder.

The user cannot access the file share.

However when i do the exact same actions on the 2nd domain controller on the domain it works perfectly fine.
This will of course happen for all users / machines on the network for all file shares on the first server and not for any on the 2nd server.
I have compared the directory's above the fileshare and between the 2 computer i am not able to spot any difference in any permissions.
I have also compared the group policy settings between the 2 domains controllers and all appear to exactly the same. they also exist in the same OU.

Can anyone shed some light on this why the file share can be accessed when they are added to the folder permissions. But cannot when they are a member of a group which is added to the file permissions in exactly the same way.

PS. This is a hard one. Its had me stumped for months.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is the group you made through active directory?

MistralolAuthor Commented:

Of course. It fails with both Universal and Global groups

Red-KingIT ManagerCommented:
Hi Mistralol,

Just to be sure we're on the same page, there are 2 sets of permissions.
The first is the Share permissions. Share permissions are only broken down into Full Access, Read and Write.
The second is the NTFS permissions. NTFS permissions are broken down into many more categories e.g. Full Access, Modify, Read & Execute, List Folder Contents etc.

From what I've understood, you have a file share with Share permissions of Full Access for the Everyone group (which is the standard thing to do). You've then edited the NTFS permissions to give UserA read/write permissions. This works.

You then remove UserA from the NTFS permissions and add them to GroupA. When you give GroupA the same read/write NTFS permissions as you had given UserA, UserA cannot access the file share.

What is the error message that windows pops up? Is it a permission denied error?

First thing to try is to add UserA to the NTFS permissions with read/write access. This should work.
Now open the folder properties and click the security tab for the NTFS permissions. Once on this page click the Advanced button down the bottom which will bring up a new dialog box. Click the rightmost tab, "Effective Permissions". Click the Select button and locate UserA, hit OK. Take a note, or screen shot of the listed permissions.

Secondly, Remove UserA from the NTFS permissions. Add the user to GroupA and add GroupA to the NTFS permissions as you would normally.
Again go to the advanced page and the Effective Permissions tab. Locate UserA and take a note or screenshot of the permissions. Also locate GroupA and note/screenshot the permissions.

You should now have three lists of permissions;
UserA added directly
UserA added through GroupA
GroupA added directly

Compare them for differences to see where the difference in permissions is being applied.

The next step is to check what group policies are being applied. You'll do this when the user is added to the group and when they are not in the group.

At the AD Users and Computers snap-in remove UserA from GroupA
Log on to a computer using UserA's credentials.
Open a command prompt and type in the command gpresult
Take a copy of the output.
Shut down the PC

Add UserA to GroupA
Log on to the same computer using UserA's credentials
Open a command prompt and type in the command gpresult
Take a copy of the output.

You should now have a two outputs from the gpresult command (gpresult needs some switches after the command in versions of windows after XP).
Compare the 2 and see if there are any different group policies applied on the 2 occasions.
If there are extra policies applied on the second gpresult output then examine these extra policies for settings that might be effecting the group permissions.

Another avenue of investigation is to log into both file servers and run a gpresult on both of them to see if there are different computer policies being applied to the servers.

Let us know how you get on with that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Is your Infrastructure Master a GC?  Group lookups can fail like this if the Infrastructure Master FSMO holder is made a global catalog server unless all the other domain controllers are also GCs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.