• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1115
  • Last Modified:

Access Denied to Share but,,,

Both our Network Admin and Network Engineer are stumped.

User receives "Access is Denied" to their home directory mapped through DFS but can access the share directly. Problem occurs only on SOME machines. They could log into the PC next to them in the lab and have it work fine. In testing we have also seen it happen the other way around. User's home directory works fine through DFS but cannot access the share directly. A different user on the same PC works fine. Issue happens against two different file servers in two different locations against different DC's in the same domain. DNS is shared across the whole domain. Only seen it happen on Win7 cleints.

Have tried deleting the profile for that user on problem PC and logging in again, no joy.
Creating another share to the same folder and it works fine from problem PC but standard share still fails.
Reimaging machine works but seems a bit overkill.
Initially we though it may have been an issue with DFS but we couldn't find anything and then we were able to duplicate the issue the other way around where DFS was not the problem connection but the direct share on the server was.

Background info:
Location 1:
VMWare 4.1 in the Dstacenter running 2K8R2 DC's and 2K8R2 File server
All Win7Ent clients or Thinclients using RDP to 2K8R2 Terminal Servers in the cloud

Location 2:
VMWare 4.1 in the Datacenter running 2K8R2 DC and 2K8R2 File server
All Win7Ent clients, Thinclients using RDP to 2K8R2 Terminal Servers or Panologic's running Win7Ent in the cloud.
  • 2
1 Solution
Stumped is one way to say it.....

Ill take a stab to see if I can help come up with anything.....

This is my standard comment for permissions, in this case I would like to see if you can pinpoint the EXACT point of the permissions failure....

Process Monitor

Save this to the root of C as an Admin, and login the problem user. Do a RunAs with your Admin Credentials to launch it, and then set the the filter at the top to Include "Result" is "Access Denied" then "Include", and then try and recreate the errors by launching the app. Then go look at the logging, and it will tell you where the permissions are restrictive. Once you open those up, keep retrying until you get the desired results....

And are these 32/64bit systems?
SMB version 2:

I think windows 7 is coming with SMB v 2 installed which has limited numbers of sessions available to the Server Message Block Session on port 445. You might check what SMB version you are using. Since ONLY Win7 computers are effected and at irregular times, this seems to be the issue.


Furthermore, SMBv2 ONLY allows for 20 simultaneous connections. SMBv1 allows 5 simultaneous connections, if I remember right.....

Also, This may be related to a domain master browser issue. Netbios is a means to map to a DFS share within the local broadcast domain. If a WIN7 client competes with the role of domain master browser with the server, it can confuse the browser service and you can get an error that says you may not have permissions or the share can't be reached.

Since your issue is basically W7 computers, and not the entire broadcast domain, I don't believe this is your error. To make sure, go to the PDCe's event logs and look for errors in the 8000's that elude to a master browser conflict. Usually they are 8021 and 8032 event log errors in the system logs.
Netbios is the means that you communicate with the share. Lots of things can cause problems with netbios. We will troubleshoot later after you look at the SMB versions.
TCP/IP is the routing protocol of choice for novell, Microsoft and almost all routing protocols. IPv6 is used where there is a dire need for more public IP addresses. But, it's not normally used on small LANS. UNLESS your router and DNS server support IPv6, (an you have to make manual edits for this support), You are not running IPv6 on the network. SO, disable it on all nics of the network.

Typically large enterprise and government use IPv6. It's a virtual tunneling protocols and unless supported some operating systems have intermittent communications with the network. Disabling IPv6 will probably not solve this problem, but improve LAN performance.
mlamsonAuthor Commented:
Rebuilt my file server and it fixed the problem. Still don't know why the issue started in the first place.
mlamsonAuthor Commented:
The best solution we could find.

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now