Solved

How to alter NTFS permission WITHOUT asking user to logoff.

Posted on 2014-07-28
19
593 Views
Last Modified: 2014-09-24
I created a new user group named "Contract Folder Administrators" on a small business server 2003.  
"Joe" was a member of this group.

I added this group with Full Control to a preexisting folder:

s:\contracts\   where S: is mapped to shared folder \\server02\Shared. The full UNC name is
\\server01\Shared\Contracts\    

on server01 joe could not access the folders.  I ran gpedit  and gpedit /force but that did not help. I asked Joe to lock and unlock his computer with Windows Key L but that did not help.  Finally, I asked him to log off and back on and that did the trick.

Is there any way to force the security updates to take effect immediately so my users don't have to log off?  

rberke
0
Comment
Question by:rberke
  • 11
  • 8
19 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40225687
There is, but it would require the user to execute a script that purges and renews his Kerberos tickets. This will not look easier to him, believe me.
0
 
LVL 5

Author Comment

by:rberke
ID: 40225711
But, isn't it possible for the server to remotely start a script on a workstation?  Why would that not be transparent to the user?

By the way, I did some further research and ran across a link which has a workaround.  But, I like your idea of a script better.  Would it be difficult for you to create such a script? ( I'm pretty good at vb so if you give me some pointers to the APIs I could probably do the grunt work myself.)

This workaround came from here.
ADD group to folder. ADD individual to GROUP, then ADD user directly to the Folder.
The User would then have immediate access to files, then within a weeks time, remove Individual user, since the group security would then be in effect of Users next login.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40225721
Not transparent. The server would have to impersonate the user.
But please feel free and use it, it's using the single line
klist.exe purge
0
 
LVL 5

Author Comment

by:rberke
ID: 40228218
I'll try it tomorrow and see what happens.
0
 
LVL 5

Author Comment

by:rberke
ID: 40235451
klist.exe purge did not work.

On the server, I added jane.doe to security group named "Full Control of Contracts Folder".

On Jane's Windows 7 Pro computer I opened a command line and ran "klist.exe purge" which responded "tickets purged".  Jane was still not able to access the Contracts Folder.

I logged her off, and logged her back on, and she then had full access.  

Does anybody have any better ideas?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40235967
I will help you out.
I tried myself and could figure out this: after purging, you need to use the FQDN and afterwards, you are given access right away. So before, you might have used \\server\share. Instaed, now use \\server.domain.local\share
This worked here and I think THAT was the reason why (10 years ago) we abandoned the thought... far too complicated for the ordinary user.
0
 
LVL 5

Author Comment

by:rberke
ID: 40269152
Each test is time consuming because I am trying to always start from the same initial state - which is to have admin remove user from group, then log jane.doe off and back on.

in my first test, I thought I had success.

I added jane.doe to security group named "Full Control of Contracts Folder".
On Jane's Windows 7 Pro computer I ran
klist.exe purge

Jane was still not able to access the s:\sharename\Contracts.
but, she WAS able to access \\server.mydomain.local\sharename\contracts.

I flipped back an forth using explorer, and it was very clear that FQDN\sharename\contracts worked but s:\sharename\contracts

But then I logged off and  tried to repeat the test carefully, it did not work.  

I then tried 3 more times and was about to give up when a the fourth try worked  !!  And again, it was clear that fqdn was the only way to access the file -- attempts through the "normal" name would fail.

I then I logged off again and repeated the test 5 more times but they all failed.

So, the fully qualified domain name helped twice, but there seems to be some unknown variable that is needed to make it work all the time. I tried variations such as running klist purge with elevated privilege and frequently ran gpupdate /force but nothing made it work again.

Any help would be appreciated.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40270624
No other variables in here, what makes it work sometimes an sometimes not is maybe just latency. Allow a moment after purging and accessing fqdn. It always worked for me, did several tests.
0
 
LVL 5

Author Comment

by:rberke
ID: 40271053
yes latency seems to explain it.  I  have determined that the security change takes somewhere between 15 minutes and 3 hours to become effective. I had hoped that klist purge would speed up the process, but that does not seem to be the case.  In fact, I am not entirely convinced that klist purge affects things at all.

Here is the important thing. I can change the logon script so the S: drive is mapped to \\server.domain.local\sharename  !!!.  instead of \\server\sharename.

I think this will be giant step towards making security work "properly" and I believe it will be entirely transparent to users. In the future, changes to security would become effective in 3 hours (or maybe less.)

I will probably close this question soon, but I want to do a few more experiments first.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 53

Expert Comment

by:McKnife
ID: 40271196
The latency I am talking about is some seconds. I tested multiple times and got instant reproducible results.
0
 
LVL 5

Author Comment

by:rberke
ID: 40274291
<<The latency I am talking about is some seconds>> I no longer think latency is the issue.  

I continue to get random results.  My most recent test was to return jane doe to "normal" and log her on, then add her to the Folder Allowed group.  20 hours later she still could not get the fqdn folder.  All attempts to use klist and gpupdate failed.  The only way I could get her access was to logoff and logon again.

So, 3 times fqdn has helped, but all other times it has not.  I suspect that my Windows Small Business Server 2003 might have a bug (yikes !!!! it really is a decade old !!!)


What version of Windows Server are you running?

If you don't have any further ideas, I will close this question.  The "correct" answer is "the only straightforward way to make Windows security take affect is to log off an log on again".
0
 
LVL 5

Author Comment

by:rberke
ID: 40274452
after 24 hours, Jane's session now has access to the fqdn folder!!!  And yes, I am sure that it is the same session - there has not been a logoff since yesterday afternoon.

Totally random, and I still think it is due to 10 year old server software.
0
 
LVL 5

Author Comment

by:rberke
ID: 40274503
McKnife:  You said " I tested multiple times and got instant reproducible results. "

Could you give me more details of your test?  Specifically, I hoped you granted folder permission using security groups.

(if you granted folder permission using user names, that always seems to take affect immediately.  That was the workaround I mentioned in my initial post.)
0
 
LVL 5

Author Closing Comment

by:rberke
ID: 40274915
Windows security is simply not designed to allow "Quick" changes.  For security to work properly, users MUST sign off then back on.

All workarounds are of limited value.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40282973
More details on the test:
While user is logged on, I added him to a domain security group that had been granted access to a certain folder. Using klist purge (in fact for most tesst I use kerbtray.exe from the windows resource kit (of win NT)), I he can get access after a few seconds if he uses the FQDN - without logging off.
0
 
LVL 5

Author Comment

by:rberke
ID: 40283482
Thanks.  I may give kerbtray a  try sometime.  Unfortunately, right now I have wasted enough time on this minor problem.

Bob
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40341778
Hi rberke.

In another thread here, I came across this link http://community.spiceworks.com/how_to/show/7562-refresh-user-s-group-membership-without-logging-off-and-on as another method. Didn't know that :)
0
 
LVL 5

Author Comment

by:rberke
ID: 40342433
I won't be able to test it until next week, but that sound very encouraging.  I could create a batch file that does a taskkill of explorer followed by  RunAs /user:MYDOMAIN\marysUsername explorer.exe  /pw=marysPassword.

A minor downside is that it is not transparant.  Even if the user is not at her desk to watch, when she comes back she will know something happened because all windows explorer windows will have closed.  (Excel and other applications will not disappear. If security is being reduced, it might be annoying for Mary.

Bob
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40342471
And that batch would need to be executed within her session, not only using her password, but executed by her!
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now