Network user (logging in with a Windows Active Directory domain account) receives "Access Denied" on attempts to save or copy files (new or overwrite) to his network home directory/share or any of its subfolders.
Server: Windows Server 2003 SP 2 (32-bit)
Client: Windows 7 (64-bit)
File Structure Format: NTFS
* Problem occurs when saving files for the first time or overwriting existing files. All applications. Single account/user, all client machines.
* His home directory is set up as a share. It is mapped to a logical drive via his login script.
* He can access (write) to other folders/shares on this server - he has another drive mapping to another share on the same server (they are not nested shares).
* Only this user and the server's local Administrators have rights to the share/folders. (Right now he has been added to the local Administrator's group as a workaround, but he needs to be removed asap).
When did the problem start/what changed?
The user had access to this folder. When it was created, he was granted access via a domain admins group of which he was a member (don't blame me - I didn't do it). He was removed from the group, at which time he reported he had no access to the folder or subfolders. Rights were immediately granted to his account - full control to the share and all folder, subfolders and files. He could then access files, but could not write to the root or subfolders. (One exception - he has .pst files under an Exchange subfolder, and cannot access these files at all)
What's Been Tried:
Removed all rights to the folder and recreated them from scratch. I have 30 years in the industry, and 3 other admins with similar experience have looked at the rights and don't see any problems with them. Also ran cacls.exe and icacls.exe (display only) and it indicates the same rights (have checked regular NTFS, special NTFS and share - full control to all). Effective rights look good. No rights are "denied".
Have tried making him the Owner of all.
Created an AD test account identical to his (via Copy) and the test account CAN access share and subfolders.
Created a copy of the structure, removing and recreating all rights. Still the test account can access, his account cannot.
Saved the original structure, renamed the new one to the original name (I know, don't ask me why) same problem.
What I'm Thinking
Is there a problem with the SID?
When I tried running icacls using his SID on the directory, it didn't locate records (not contradicting myself or making things up as a I go along - when I referenced running the utility in the previous paragraph, I was not using the SID as a parameter) But, maybe I don't understand how that works, or ran it incorrectly, because it also didn't find records for my SID when I tried running it on my home directory structure, and I have no problems. Do I need to recreate an account for him to recreate the SID?
Should I restore the entire structure from a backup (without security) from before the time he was removed from the domain admins group?
Anyone understand the internals well enough to know what to search for in the registry or system structures, or recommend any utilities that might help?