Windows server folder permissions; to reboot or not to reboot!

Posted on 2012-09-11
Last Modified: 2012-09-16
Hey All,

I'm hoping someone can provide some technical backgroud to Windows erver file permissions; specifically when a reboot is necessary for the client vs when its not and why.

So, pretend i've got a windows 2008 file server and windows 7 clients.

       Scenario 1:
      -I create new folder share "Share1" on FS1 (file server1)
      -I give the user modify access by account the users account directly to the folder.
      -They type \\fs1\share1 and they can get there without a reboot

       Scenario 2
      -I create new folder share "Share1" on FS1 (file server1)
      -I create a global security group called "fs1 - Share1" and add the user to this group
      -I give the global secutiy group I created modify access to the folder "Share1" .
      -They type \\fs1\share1 and they CAN'T get there without a reboot

       Scenario 3 & 4
      - Every statement is the same except that instead of a share, its just a subfolder    under a share that everyone only has
(List       Folder/Read)
(Read Extended Attributes)
(Read Attributes)
(Read Permissions)
NTFS rights to the top level only. Subfolders need explicit rights to view and modify, etc. But the behavior is duplicated wehn adding user directly to folder vs adding the user to a group then adding the group to a folder.

If anyone can explain the technical details of when a reboot is necessary vs when its not or point me to some cool articles, I would appreciate it very much. I can create and manage a file server, but i'd like to be able to understand the nitty gritty, ya know?  :)  

thanks erveryone!
Question by:-JT
    LVL 57

    Accepted Solution

    Reboot is not necessary (although that works too) but the user will need to log off and log back off when you use a group on the ACL.  The user needs to update his/her token and that happens at logon.

    You can see what groups the user is a member of whoami /groups

    So you add user to the group make sure it has replicated have them log off and back on and they should have access.

    The reason it is not needed when you add them directly is because the token doesn't have to be updated.

    ...FYI I know some folks will tell the users to reboot just to make sure replication has happened.



    Author Comment

    OK, thanks for verifying that groups vs direct addition is different. I wasn't entirely sure. :)  
    I do tend to tell users just to reboot to make sure they really do it as opposed to just locking and unlocking their PC. :P
    Do tokens not play any part in certain situation where a user is accessing a resource? Now that you've confirmed for me the difference exists, i'd like to find out the exact process of why. do you happen to know?

    thanks for the reply btw!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Want to promote your upcoming event?

    Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

    One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
    The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now