Windows server folder permissions; to reboot or not to reboot!

Hey All,

I'm hoping someone can provide some technical backgroud to Windows erver file permissions; specifically when a reboot is necessary for the client vs when its not and why.

So, pretend i've got a windows 2008 file server and windows 7 clients.

       Scenario 1:
      -I create new folder share "Share1" on FS1 (file server1)
      -I give the user modify access by account the users account directly to the folder.
      -They type \\fs1\share1 and they can get there without a reboot

       Scenario 2
      -I create new folder share "Share1" on FS1 (file server1)
      -I create a global security group called "fs1 - Share1" and add the user to this group
      -I give the global secutiy group I created modify access to the folder "Share1" .
      -They type \\fs1\share1 and they CAN'T get there without a reboot

       Scenario 3 & 4
      - Every statement is the same except that instead of a share, its just a subfolder    under a share that everyone only has
(List       Folder/Read)
(Read Extended Attributes)
(Read Attributes)
(Read Permissions)
NTFS rights to the top level only. Subfolders need explicit rights to view and modify, etc. But the behavior is duplicated wehn adding user directly to folder vs adding the user to a group then adding the group to a folder.

If anyone can explain the technical details of when a reboot is necessary vs when its not or point me to some cool articles, I would appreciate it very much. I can create and manage a file server, but i'd like to be able to understand the nitty gritty, ya know?  :)  

thanks erveryone!
Who is Participating?
Mike KlineCommented:
Reboot is not necessary (although that works too) but the user will need to log off and log back off when you use a group on the ACL.  The user needs to update his/her token and that happens at logon.

You can see what groups the user is a member of whoami /groups

So you add user to the group make sure it has replicated have them log off and back on and they should have access.

The reason it is not needed when you add them directly is because the token doesn't have to be updated.

...FYI I know some folks will tell the users to reboot just to make sure replication has happened.


-JTAuthor Commented:
OK, thanks for verifying that groups vs direct addition is different. I wasn't entirely sure. :)  
I do tend to tell users just to reboot to make sure they really do it as opposed to just locking and unlocking their PC. :P
Do tokens not play any part in certain situation where a user is accessing a resource? Now that you've confirmed for me the difference exists, i'd like to find out the exact process of why. do you happen to know?

thanks for the reply btw!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.