Users cannot access Network folder when part of a group with access, but can when have individual access

We are currently experiencing issues with access permissions to a shared folder.

We have had an organisational restructure which required a restructure of the departmental groups. Since doing this. The main department that was subject to the restrucutre cannot access their shared folder.

Previously, they were part of a Distribution Group that has permissions access. They were in this group at the first level. As part of the restructure, they are now in Sub Groups which belong to this group.

Since doing this, they have been unable to access their departmental network folder. The permissions have not changed on the group, just the way that the group is structured.

I have tried adding the individual sub groups in with the same permissions in place of the original group, this has not worked.

I have tried creating a brand new security group, trying first with the groups in there & then the individuals in that group, but again, this has not worked.

If I add the users individually, then they are able to access their folder again. However, as this is messy, I would rather this wasn't the long term solution.

I am assuming there is some kind of replication issue. I've attempted to force a gpupdate across all relevant devices & also a Force Replication sync from NTDS settings on the servers, but to no avail.

Help with this matter would be appreciated.
melinhomesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wolfje_xpCommented:
First of all, distribution group != security group ...
I would check all the rights of the groups again ... Especially when you override some settings, or when you use 'deny', strange things start to happen.
0
George SasIT EngineerCommented:
First you say "Distribution Group" then you say "Security Group"... which one is it ?
After you add/remove the users from the SECURITY groups, tell the users to log off / log on on the machine and test again ?

Also check the NTFS permissions on the shared folders.
0
melinhomesAuthor Commented:
The original setup were distribution groups, which were also being used as security groups on the folder permissions.

As an attempt to resolve the issue, I set up a brand new security group that was not a distribution group. I then added the users to that group & attempted it that way.

Does that make sense?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

melinhomesAuthor Commented:
Have checked the rights. I cannot see any explicit denys in the permissions.

Have also had users log on & off several times, to no avail.
0
George SasIT EngineerCommented:
Yes, that makes sense , the security group I mean.
After you play with the groups did you asked the client to log-off and log-on again and then try to access the resources?

Also check the NTFS permissions on the files and grant NTFS permissions to the new groups beside the share permissions.
0
wolfje_xpCommented:
Have you also checked permissions on higher-level folders? Deny has priority above allow ...
0
melinhomesAuthor Commented:
Am not sure it's a Deny issue for two reasons

1) The new groups I've tried have not been set up anywhere else for deny.
2) If adding the users in individually. They can access the folder.

I have also attempted to log off.

When modifying permissions for Group access, after log off/on - Access is still not possible
When modifying permissions for individual users, after log off/on - Access is possible again.

0
PietMuisCommented:
Have you logged the user off and on again, after creating the group/giving permissions?
0
George SasIT EngineerCommented:
What is the type of group that you are creating ? Global, Domain, Local, Universal ?
What type og security groups are the groups you are trying to add to the new security group ?
Are both group Security groups ?
0
PietMuisCommented:
Do you have more than one Domain Controller?  Might be that you are making changes to the group on one DC and the machine is accessing the GAL on another?
0
melinhomesAuthor Commented:
Geo - The new Group is a Universal Security Group.

I have tried adding the following separately to it:
Users
Distribution Group - Global
Security Group - Universal

If I add these to the Group & the Group to the Folder. Access is not Forthcoming.

If I attempt to add the Original Security Group, Access is not forthcoming.
If I attempt to add the Distribution Group, Access is not forthcoming.

If I add the User, then access occurs instantly after a log out & back in.
0
melinhomesAuthor Commented:
PietMuis - That is possible,

However, I have attempted to force replication between the servers, Worth doing again?
0
wolfje_xpCommented:
Are there any replication errors in event log ?
0
George SasIT EngineerCommented:
Ok, please make sure Both groups are Security Global groups.
Group A - Global
Group B - Global

Group B has as members all the users you want.
Group A has as a member Group B.

On the file server go to the folder you are sharing and add Group A on the share permissions.
Then go to the SECURITY tab of the folder, Edit and ADD the Group A with Full Permissions on the folder.

Then try and see.

Possible to post a screenshot of the permissions on the folder or you can use a command line like :
CACLS to show us the permissions on the NTFS level.

I have a hunch that this is some NTFS security ojn the folder that has not been removed or replaced.
0
melinhomesAuthor Commented:
Doing a CACLS gives the following results (with minor changes to protect staff usernames)

E:\departments\<<group>> BUILTIN\Administrators:F
                       DOMAIN\User1:(OI)(CI)F
                       DOMAIN\User2:(OI)(CI)F
                       DOMAIN\User3:(OI)(CI)F
                       DOMAIN\User4:(OI)(CI)F
                       DOMAIN\User5:(OI)(CI)F
                       DOMAIN\User6:(OI)(CI)F
                       DOMAIN\User7:(OI)(CI)F
                       DOMAIN\User8:(OI)(CI)F
                       DOMAIN\<<Group>> RW Access:(OI)(CI)F
                       DOMAIN\User9:(OI)(CI)F
                       DOMAIN\User10:(OI)(CI)F
                       DOMAIN\User11:(OI)(CI)F
                       DOMAIN\<<diff department>> RW Access:(OI)(CI)R
                       DOMAIN\User12:(OI)(CI)F
                       DOMAIN\User13:(OI)(CI)F
                       DOMAIN\User14:(OI)(CI)F
                       DOMAIN\User15:(OI)(CI)F
                       DOMAIN\User16:(OI)(CI)F
                       DOMAIN\zIT Team:(OI)(CI)F
                       DOMAIN\<<admin>>:(OI)(CI)F
                       BUILTIN\Administrators:(OI)(CI)F
                       NT AUTHORITY\SYSTEM:(OI)(CI)F
                       CREATOR OWNER:(OI)(CI)(IO)F
                       BUILTIN\Users:(OI)(CI)R
                       BUILTIN\Users:(CI)(special access:)
                                         FILE_APPEND_DATA

                       BUILTIN\Users:(CI)(special access:)
                                         FILE_WRITE_DATA
0
George SasIT EngineerCommented:
Well, as I can see from the CALCS result you added NTFS permissions individually for each user.
Try to do it as I asked.

And then you calcs result should look something like :
E:\departments\<<group>> BUILTIN\Administrators:F
                       DOMAIN\<<Group>> RW Access:(OI)(CI)F
                       DOMAIN\Group A:(OI)(CI)(F)        
                       DOMAIN\<<diff department>> RW Access:(OI)(CI)R
                       DOMAIN\zIT Team:(OI)(CI)F
                       DOMAIN\<<admin>>:(OI)(CI)F
                       BUILTIN\Administrators:(OI)(CI)F
                       NT AUTHORITY\SYSTEM:(OI)(CI)F
                       CREATOR OWNER:(OI)(CI)(IO)F
                       BUILTIN\Users:(OI)(CI)R
                       BUILTIN\Users:(CI)(special access:)
                       FILE_APPEND_DATA

                       BUILTIN\Users:(CI)(special access:)
                                         FILE_WRITE_DATA

Then add the same "Domain\Group A" to the share permissions.
It's impossible not to work unless you have some kind of replication problem between DC's or the client machine does not refresh the group membership information.

Try to access the ressource from another client computer also.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
melinhomesAuthor Commented:
Yea. Sorry Geo, just showed you the results from before I'd modified anything. Am currently working on the rest right now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.