Solved

Apply changes to Active Dirctory

Posted on 2012-12-21
11
208 Views
Last Modified: 2012-12-31
I have a Windows 2008 r2 server.  We also have 2 terminal servers.  I did changes to file permissions and had the user log off the network and then log back in.  

He tells me if he access's the folder in question from his local desktop, he still cant access the folder.  BUT if he logs on the the terminal server, he CAN access the folder.

What did I do wrong OR how do I force it to apply so he can also access the network folder from his local desktop.
0
Comment
Question by:bankwest
11 Comments
 

Author Comment

by:bankwest
Comment Utility
Forgot to mention.   To give this user the permissions he needs, I added him to a group in Active Directory Users and Computers
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 167 total points
Comment Utility
use the effective permissions option to determine actual permissions - see http://technet.microsoft.com/en-us/library/cc756795(v=ws.10).aspx

also check both the SHARE and NTFS permissions
0
 
LVL 13

Expert Comment

by:upalakshitha
Comment Utility
I think you have modified shared folder share permission to user. that is the reason he cannot access it from network.
when he access specified folder from TS session,I think he does it by opening local drives of server. so he does not need share permission for that.
if you have modify  NTFS permission incorrectly, TS session also cannot access folder
so you need to modify shared folder share permission i think
0
 
LVL 25

Expert Comment

by:Tony Giangreco
Comment Utility
He needs to be an ASD user and be joing to the domain for starters. After that is completed, verify his permisions are correct. Check his explidid permissions on that folder and verify he has read/write access.
0
 

Author Comment

by:bankwest
Comment Utility
On my Network-data drive the Share permissions show Everyone with full control.   Then the NTFS permissions shows:
Domain Admins with full Control
Users (for our domain) with read, list and read & execute.

Then I go to the folder in question and the Group he is in has Modify, Read & Execute, List and Read

When I look at the effective permissions on that folder, that group has the correct permissions.

So I don't understand why he can't access the information from his local desktop but can from his TS desktop.

He is a user in Active Directory and is joined to our domain correctly and when I look at that folder and permissions...That group has correct permissions.  

Also, as a side note:   I thought in reading about permissions, that Share permissions and NTFS are independent of each other.    And one approach suggested is to set share permissions to full control on everyone (which I did) and rely on NTFS permissions to restict access.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 333 total points
Comment Utility
Hi.

You have to make clear if that resource is on a share of the TS or on another server. If on another server, the only possible explanation would be: the access token is assigned by a domain controller and the TS does not choose the same DC as the workstation does. So maybe the change in group membership has not replicated to that DC the workstation chooses. That would make it a replication problem.

See if the command
echo %logonserver%
produces the same result or not.
0
 

Author Comment

by:bankwest
Comment Utility
McKnife

That command Produces same result for both.  (Our DC)
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi and merry xmas!

You still did not make clear if that resource is on a share of the TS or on another Server. Please do so.
0
 

Author Comment

by:bankwest
Comment Utility
Sorry......   Got side tracked.    I did the command above and as it should be, the resource is our primary domain controller.   Confirmed it both locally and thru TS login.    So, the share is on another server
0
 

Author Comment

by:bankwest
Comment Utility
Thinking on this.   This is first time that I have set file permissions on a network.    So I am trying to be very cautious.  
Could this be my problem??
Let say John is a loan officer and needs modify/read/read execute on folder called LOAN

John is a member of the users group that has read and read/execute and is also a member of VP group that has modify, read and read/execute

Since he is a member of both groups will the settings for Users override settings for VP?
since they are more restrictive
0
 
LVL 53

Accepted Solution

by:
McKnife earned 333 total points
Comment Utility
Permissions are additive. He'll have modify rights, then.
There's something fishy. You should do more tests with another share or even different shares on different servers to see if there are other irregular behaviors.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now