Solved

Changed permissions on network folder - How can staff access without reboot?

Posted on 2014-10-28
16
141 Views
Last Modified: 2014-11-13
I've been trying to modify the permissions on various network folders (Windows Server 2003), to go from full access to everyone, to the proper restricted access. This entailed removing authenticated users permissions, and changing domain user permissions to just read&execute only. However, staff that still have full read/write permissions (as a new security group addition) are getting write errors even though the permissions are correct. If they reboot, the problem is solved.

I'm trying to figure out if there is a quicker way to resolve the permission issue without needing the user to reboot?

Thanks.
0
Comment
Question by:ruhkus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409190
few options here

1 restart netlogon service on the clients using psexec


http://www.experts-exchange.com/Networking/Network_Management/A_2779-Use-PSExec-to-run-a-command-remotely.html


or easier

Restart netlogon service using scritpt

Restart-Service netlogon

(save it as netlogon restart.ps1)
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40409227
Oh, nice, didn't know that, Jan.
Other ways I know:
-have the users logoff and on again (reboot isn't needed)
-refresh their Kerberos tickets using scripts with klist.exe (difficult as the user would need to execute that script himself)
-restart the process explorer.exe (needs user action as well)

So if it works, Jan's solution is by far superior.
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 40409399
Having them log off and then log back on as McKnife stated is generally the least amount of work for all involved. Restarting services while people are actively using a machine is not always the best suggestion, and if they are not actively using the PC then when they log on it will be available.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409406
@Machienet  remote restart of netlogon service will do the job + it doesn't require user involvement
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 40409439
Indeed, not arguing that point, but to accomplish a task with no interaction is better than some in the eyes of this (me) busy IT guy.

Either works, just depends on the method you want to use... Pepsi-Coke (I wouldn't dare use the MAC-PC analogy here haha).
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409452
So you would have to tell your users to restart the computer, because you are to busy to solve the problem :)
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 40409523
I won't get into a p-match with you as this is not the intention of the site, but before responding directly to someone like you just did with me, you should learn to comprehend and process what they stated before sticking your foot in your mouth, as you just did - I'll let you figure that one out.. perhaps with a script?

I only provided additional information on an alternative solution as stated by someone else, which you apparently do not agree with, which is also fine.

Coke-Pepsi...
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409534
Machienet apologies if I upset you - that wasn't my intention - obviously our approach in resolving it problems differs.
@ ruhkus sorry for changing your straight forward question into  "p-match" - which again wasn't my intention.

I just strongly believe that telling users - "restart your pc" is just not a "good enough" approach - if you can easily fix it for them - no user intervention is the key IMHO.

but like Machienet said

Coke-Pepsi...
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40409589
Jan, when would that positive effect appear?
Just tried to use it, it did not help.
--
Setup: testshare, user A has read perms on share and ntfs level. Domain group X however has write access on both. Add A to domain group X, restart the netlogon service on A's computer...nothing changes.
Needless to say that I waited some time. And of course it works after logging off and on again.
--
That said, I would be very surprised if it really works because I have seen this question so often during the last 15 years - never was restarting that netlogon service even mentioned as possible solution.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409627
Should works straight away after restart of service. - just tested it on my vms

one difference is that user a will have full write and read on share level (as authenticated user) - we enforce security on ntfs level
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40409631
I don't understand what you are saying - what's the difference?
It makes no difference if I set share perms to everyone:change and only modify the NTFS perms, by the way.
What OS' are you using? In my VMs, the server side is 2012 R2 and the client is 8.1
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409634
2008r2 and wind 7
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40409637
Have no 08R2 here. Will see at work tomorrow.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40409668
guys  - It doesn't work - it seams that my testing security group was a member of other security group  - so restarting netlogon service doesn't work - you still have to logon/logoff - to refresh your security token

apologies for confusion
0
 

Author Comment

by:ruhkus
ID: 40410578
Yeah, I was unable to get the netlogon restart to work, as confirmed. Log on/off is fine, but at that point, I prefer they just reboot.

I'll try killing explorer.exe, but I'm also curious about using klist. I don't mind going to their PC as we're not that large a company, so if they have a lot of programs open, this is sometimes preferred.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40410620
Here you go: http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_28485742.html inside I linked also the thread where killing+restarting explorer is described.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question