Windows "Access Denied" Error for Specific User on Network Share and Subfolders

Problem Summary:  

Network user (logging in with a Windows Active Directory domain account)  receives "Access Denied"  on attempts to save or copy files (new or overwrite) to his network home directory/share or any of its subfolders.

Platform Info:

Server:                            Windows Server 2003 SP 2 (32-bit)
Client:                             Windows 7 (64-bit)
File Structure Format:   NTFS


* Problem occurs when saving files for the first time or overwriting existing files.  All applications.  Single account/user, all client machines.
* His home directory is set up as a share.  It is mapped to a logical drive via his login script.
* He can access (write) to other folders/shares on this server - he has another drive mapping to another share on the same server (they are not nested shares).
* Only this user and the server's local Administrators have rights to the share/folders.  (Right now he has been added to the local Administrator's group as a workaround, but he needs to be removed asap).

When did the problem start/what changed?

The user had access to this folder.  When it was created, he was granted access via a domain admins group of which he was a member (don't blame me - I didn't do it).  He was removed from the group, at which time he reported he had no access to the folder or subfolders.  Rights were immediately granted to his account  - full control to the share and all folder, subfolders and files. He could then access files, but could not write to the root or  subfolders.  (One exception - he has .pst files under an Exchange subfolder, and cannot access these files at all)

What's Been Tried:

Removed all rights to the folder and recreated them from scratch.  I have 30 years in the industry, and 3 other admins with similar experience have looked at the rights and don't see any problems with them.  Also ran cacls.exe and icacls.exe (display only) and it indicates the same rights (have checked regular NTFS, special NTFS and share - full control to all).  Effective rights look good.  No rights are "denied".
Have tried making him the Owner of all.
Created an AD test account identical to his (via Copy) and the test account CAN access share and subfolders.
Created a copy of the structure, removing and recreating all rights.  Still the test account can access, his account cannot.
Saved the original structure, renamed the new one to the original name (I know, don't ask me why) same problem.

What I'm Thinking

Is there a problem with the SID?  
When I tried running icacls using his SID on the directory, it didn't locate records (not contradicting myself or making things up as a I go along - when I referenced running the utility in the previous paragraph, I was not using the SID as a parameter)  But, maybe I don't understand how that works, or ran it incorrectly, because it also didn't find records for my SID when I tried running it on my home directory structure, and I have no problems.   Do I need to recreate an account for him to recreate the SID?

Should I restore the entire structure from a backup (without security) from before the time he was removed from the domain admins group?

Anyone understand the internals well enough to know what to search for in the registry or system structures, or recommend any utilities that might help?

Marisa StevensonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Still the test account can access, his account cannot.

Would it not be reasonable to delete his account entirely (save what is necessary) and make a new account. I would try this first.

(One exception - he has .pst files under an Exchange subfolder, and cannot access these files at all)

PST files should NOT be located on a network folder. It is not supported and it breaks PST files. Perhaps this did some other damage in the account.

Should I restore the entire structure from a backup (without security) from before the time he was removed from the domain admins group?

I should not think so, but I do not have enough experience to know for sure.

.... Thinkpads_User
Marisa StevensonAuthor Commented:
I asked about creating a new account in my original post because I am unsure of the implications, and am concerned I might break other things.  For example:

1. For access to roaming and TS profile directories, do we just need to change the directory path to the existing path?
2. Any problems with renaming the account so the user has the same logon name, so we don't have to update ODBC User DSN's, and application accounts that use single sign-on or pass-through authentication, and will changing the logon name suffice for this purpose (and what about hard/soft tokens)?
3. Can I setup Exchange properties so that the new account uses his existing email address and points to the same mailbox?
4. What else might it impact that I'm not even considering?

Restoring from a backup seems less risky, although if it's a SID issue, I am not sure that will do the trick either.  It would be nice to have a means to identify it as a SID issue.

As for .pst, what is the difference between storing them on a network or local drive?  What kind of problems?  We don't use them for archiving anymore since we use Vault, but this user has stored .pst's on the network for years without a problem. There are advantages - they are backed up with nightly backups,  are available if we ever have to failover servers, and are available when users have to access them from shared machines...I think we even  even have them set up from OWA.
JohnBusiness Consultant (Owner)Commented:
1. If the user is set up for roaming access in a domain, they should carry their profiles (and so folders) with them.

2. There should not be, but you should test for it.

3. Exchange does not even need a roaming profile to work on a different computer. It will just set up a new OST local file. Exchange can work with roaming profiles.

As for .PST, what is the difference between storing them on a network or local drive?

Microsoft has never supported using PST files on network drives. Doing so can damage the PST file. I have seen that happen. Just because it has worked is not good reason to maintain the practice.

... Thinkpads_User
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Have you checked NTFS rights?  Easiest thing would be to create a new home folder for the user and transfer his files.
Marisa StevensonAuthor Commented:
We have checked NTFS rights by looking at the Effective Permissions and running the cacls utilities.  Are you suggesting there is another way to do this?  I already created a new home folder, and transferred all the files.  Same problem.

Regarding Thinkpads_User's comments:
1. Carry their profiles with them?  The profile directory is set up in AD and on the terminal server, so if I create a new account, I have to specify the (server) location for the new account.  I think that's all I need to do, just asking for confirmation.
2. So, I am looking for guidance on whether I can rename the logon back to the original name, so I don't have to update all the single sign on applications, ODBC DSN, etc. with a new logon name (and confirmation that nothing else would be required if I do rename the account/logon.
3.  To clarify, this question had nothing to do with roaming profiles.  I was asking if and how I can set up the new account mailbox so it's associated with the existing email address/mailbox....can I go into Exchange properties (in AD) and specify the existing account's email address and mailbox?
4.  I am really hoping someone has done this before, who can assure me that if I create a new account I can rename it so the user uses the same logon name, and specify their existing Exchange properties...and that no other steps will be required.
JohnBusiness Consultant (Owner)Commented:
1. If the profile is on a terminal server, then a new user needs new folder setups, yes. So I think that is the confirmation you are looking for.

2. I think you need to test this, but you need someone here with more experience.

3. Exchange will work with the user's login. I am not sure what else you need on this one.

4. I have no added information on this one.

.... Thinkpads_User
Marisa StevensonAuthor Commented:
As for the mailbox, it will work with the user's login?  In other words, if I create a new AD account (by copying the user's existing account), then go into Exchange properties and specify an existing email address, is that it?  Do I need to then go into Exchange properties and specify his existing mailbox store/Exchange server?
JohnBusiness Consultant (Owner)Commented:
As for the mailbox, it will work with the user's login?

Yes (assuming Exchange is part of AD, which it should be if on site). Hosted Exchange is different.

Each new AD account will get its own Exchange account. It is a question in AD setup. You can change it.

... Thinkpads_User
Marisa StevensonAuthor Commented:
Resolved by creating a new directory structure where the root/home directory had a different name than the original "problem" folder.  Important note:  when I tried keeping the same name (deleting the "problem" folders and then renaming the newly created directory to the original file name, the problem returned).  

A mod to our login batch job (and TS environment) was required to reflect the change in network (logical drive) mappings.  The login batch job maps users' home directories using the %username% variable (maps to a folder with the same name as a user's AD logon).   A condition was added so that this user's drive would be mapped using a constant value for the new home directory name (instead of setting based on the %username% variable value).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Marisa StevensonAuthor Commented:
I resolved this on my own while troubleshooting.  Merely want to share in hopes others may be able to use the same solution.  I am not an EE "expert".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.