GPO blocking access to User's Own folders

Hi:  Running Win 2003 Domain, Win xp, Vista and Seven workstations.

All GPO's were working fine. Last Monday a generic user we have that's used EVERYWHERE in the company lost access to it's own folders. It can't access his own Documents folder or any folder under its user profile.

I've force replication between DC's and rebooted workstation several times as well as ran gpupdate /force, gpupdate /target:user and gpupdate /target:workstation.

- No new GPO's. No changes I've done. The other manager tells me he didn't do an thing.  
- I've checked the usual suspects "hide access to drives" and "prevent access to drives" and they're not configured.
- I've checked other GPO's just in case but they're not configured either.
- I modified the specific GPO for that user and disabled the "hide" and "prevent"
- I've created under Computer\Pol\Wind Settings\Sec Settings\File System and object granting that specific user Full Control on the folders and propagated to sub-folders.
- I've checked the GPO from top to bottom for anything that would cause this behavior.
- I recreated the GPO using basically same setting (thinking of corruption)
- I restored 2 backups of the GPO from before the problem.
- Since the GPO is applied at the OU level, I placed it at the bottom of the list so it would have precedence.
- I've delete the user profile and the registry (ProfileList)

I'm going to disable all other GPOs and just leave the user specific GPO.  After that I have no clue what to do next.
SFWIBAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

piattndCommented:
A few questions:

What exact error do you get?  What are the NTFS permissions on the folders/files you cannot get to?  Where are these files located?  Do you have permission inheritance turned on or off on those folders? (A few examples are fine)  Are there any deny statements on the folder structure?  If so, what are they?

I'm assuming you haven't fixed the issue, so when I troubleshoot permissions, I first focus on identifying who does have access (both individual accounts and groups).  Take note of the local and domain groups separately.  The goal here is to identify whether the account was removed from a group (which is my guess).  Very rarely do you ever control NTFS permissions at a GPO level.  

I personally do not think the issue is a GPO.
0
SFWIBAuthor Commented:
Also,

-I've granted full access to the user folders through the Software Restriction Policies under Comp and User.

I just disabled all other GPOs, synchronized DC's and rebooted workstation twice.  

I am dumbfounded.
0
SFWIBAuthor Commented:
What exact error do you get?  
A: this operation has been canceled due to restrictions in effect on this computer. Contact your admin.

What are the NTFS permissions on the folders/files you cannot get to?  
A:  I can get to them fine since I'm Domain Admin. The user itself can't. However, user has Full and everything under it and it propagates to every sub-folder.

Where are these files located?  
A:  they're located in its own user folders such as My Documents.

Do you have permission inheritance turned on or off on those folders? (A few examples are fine)  
A: permissions are explicitly given by the OS when user profile is created. I also set to unrestricted the path for that user in software rest policies in both comp and user.

Are there any deny statements on the folder structure?  If so, what are they?
A: no denies.
0
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

SFWIBAuthor Commented:
Regarding the group idea... user belongs to a single group which is a security group.  It is a VERY restricted user but up to last Thursday it had access to its own folders.
0
piattndCommented:
Is the user account locked or disabled?
0
piattndCommented:
Also, go into the windows event log, security log, filter by "failed" and enter in here any of the events you see for that user.  You can blur out or remove any proprietary information
0
SFWIBAuthor Commented:
Actually user account can't be locked.  It is not locked and it is not disabled.  I can log in just fine and everything works except... access to its own folders.
0
piattndCommented:
Lastly, what action are you trying to perform when you get this message:

"this operation has been canceled due to restrictions in effect on this computer. Contact your admin."
0
SFWIBAuthor Commented:
Sec log only shows a couple of times I entered wrong password as domain admin. Nothing else.
0
piattndCommented:
Who is marked as the "owner" of these files/folders?  Have you tried to set ownership to "Administrators" and then reset permissions from the root of their profile?  Go into the advanced permissions window, click the Effective Permissions tab, select the impacted user account and put a screen shot of the results in this posting.
0
SFWIBAuthor Commented:
Did that too.  It shows all check marks under effective permissions.  I set ownership to user and logged in as that user and still nothing.
0
piattndCommented:
Login as the user and issue the command "gpresult"  ("gpresult /r" if you're on win7)

Move the user account to a new OU.  Block GPO inheritance for that OU and do not apply any GPOs to that OU.  Move the computer object into the same OU so no GPOs apply for that object.  Perform a GPUpdate /force and reboot the machine, log back in and test again.
0
SFWIBAuthor Commented:
thought about it but didn't do it.  I'll let you know how it goes.  BTW thank you for helping me.  I do appreciate it.
0
piattndCommented:
Well at this point, absolutely none of this makes sense, so might as well try it.  If it really was a GPO that caused this issue, you may still see the problem, because the settings have been changed and will not be adjusted back simply because the GPO isn't applying anymore, though if the issue is more like a realtime "block this action" rather than a "set this setting", then everything should work.

We'll see what happens.  Let us know.
0
SFWIBAuthor Commented:
Jesus Christ!  That did it!!!!!!!!!!!!!!!!!!!   Creating a new OU and applying the same policy worked!     i owe you a beer!!!
0
piattndCommented:
Now the fun part, narrowing down which GPO contains the issue.  I'd just apply them a few at a time until you find out which one is causing the problem.  Good luck!
0
SFWIBAuthor Commented:
Actually there is only 3 GPOs that apply and they're all applied.  Thank you for letting me use your brain.
0
piattndCommented:
That's really odd.... You're welcome!  Hope that one doesn't come back to haunt you.
0
piattndCommented:
Don't forget to close and grade :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SFWIBAuthor Commented:
You guys rock!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.