One Workstation with an issue...you need permission to perform this action

Windows server 2008 R2 network, windows 8.1 workstation.  this user has no problems with: ntwk log in, ping server, see other workstations on ntwk, map drives, viw shared folders on ntwk, get on internet, change pswd from wkstn.
But in his shared folders, if he tries to make any change to a file, he gets rejected and the Windows error "you need permission to perform this action...try again/cancel" come up.

IF I log in another user on his workstation, no problem manipulating files.  If I log his user i.d. to a different workstation, no problem manipulating files.

Any ideas?  Everything is shared and mapped basically how I want it for 15 other users and computers, but this one guy's login on this one workstation is stuck in rejection-land.
Jarrod AdamsconsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
Have you checked his permissions to the share to make sure he have access?

There are four to check (for your case, only the first 3 apply because sounds like a local permission issue):

1. sharing permissions (local)
2. file level permissions (local)
3. folder level permissions (local)
4. group level permissions (if he is in an AD group then the group he is in may have/not have access to do a certain things to the share)

Is he the owner of the shared folder/files?
JohnBusiness Consultant (Owner)Commented:
Make sure the same User Name used to create / map the shares on the server is the same User Name as trying to use / change the files.

On the problem workstation using the user's login, open cmd.exe and do the following:

NET USE Z: /Delete for ALL mapped drives.

Shut down, start up and then map the drives normally.

Does this work? Can the user use / change files?
Jarrod AdamsconsultantAuthor Commented:
Wayne88... Any specifics on "How" you want me to check these permissions?  When I rt-click on the shared network files or folders it shows his group membership as read/write access and full control, as well as his specific user as read/write full control (I added him specifically to certain folders when he started having trouble, hoping the redundant allow with his specifc id AND his Staff group membership would grant him access)
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Jarrod AdamsconsultantAuthor Commented:
John Hurst-
Where do I start???
1st I did what you asked.  I tried NET USE Z: /Delete for ALL mapped drives...restarted and was still not able to work in the shared folders from this specific machine.  I double-checked from another workstation and he still has proper & easy access to all appropriate folders in this structure, with permissions granted just to the staff group that he is a member of.

-A possibly important note...even though I've disconnected the mapped drives with your cmd, and with a rt-click... upon restart OLD mapped drives (to the previous server) reappear in his windows file explorer. These drives are not mapped through a script.  Also though, when these maps were originally disconnected and then the new server locations mapped, the old maps did NOT reappear OVER the properly mapped drives.  they only appear in absence of other mappings.  I did use your command to remove these old maps also, and they still reappeared on login after restart.

-I specifically share a folder directly to him, and still he is not able to manipulate files.

-IF, I share a folder to "Authenticated Users" he immediately has access to work with the files from his workstation.

I admit, I'm confused...any next ideas? thx
JohnBusiness Consultant (Owner)Commented:
I double-checked from another workstation and he still has proper & easy access to all appropriate folders

So there is something wrong with this Windows 8.1 machine.  And if I read properly, it has not worked.

Make sure of the following:

1. It is Windows 8.1 Pro. Windows 8.1 with no qualifier is Windows 8.1 HOME and won't work.
2. Go to Network and Sharing center, Advanced Sharing settings and make sure:
(a) Network Discovery is ON
(b) File and Print Sharing is ON
(c) Homegroup is OFF  (which means you need to use usernames and passwords.

If, after ensuring ALL of the above, it still does not work:

1. Run System File Checker.  Open cmd.exe with Run as Administrator and run SFC /SCANNOW twice. Shut down, Start up and test.

2. If still no, run DISM:

Open cmd.exe with Run as Administrator.
DISM.exe /Online /Cleanup-Image /Scanhealth (takes 15 - 20 minutes).
DISM.exe /Online /Cleanup-Image /Restorehealth (takes 15 - 20 minutes).
Restart the computer and test.

Please let us know. I gave you lots to chew on.
Jarrod AdamsconsultantAuthor Commented:
1st-
You are correct. It is isolated to this Windows 8.1 Pro workstation, BUT/AND isolated to this user on this workstation, as a different same-level user logged into this workstation has proper access .  

Also seems clear, that I can MAKE this user work on this workstation by adding Authenticated Users to the server folders' share properties, BUT I obviously hesitate to make any changes to my server's permissions just toget this user working again, when the issue is likely isolated to one user on one workstation.

-Yes, Win 8.1 Pro  
-Yes, Network discovery is ON
-Yes, File and Printer Sharing is ON

-First of two sfc /scannow 's  ...is running now

I'm gonna guess you want the results of the sfc /scannow's before I do anything else like delete the user and recreate him on this machine?
JohnBusiness Consultant (Owner)Commented:
After the tests above, then yes, try a different Windows User Account (create a new one) and test. Repeat the network tests for the new user.
Jarrod AdamsconsultantAuthor Commented:
1st scan done...message states Windows resource Protection found corrupt files but was unable to fix some of them. Details are included...in CBS.log
That log is 1.5MB file, 998 pages...anything specific I should look for?  I can attach the .pdf if you like
Jarrod AdamsconsultantAuthor Commented:
2nd sfc /scannow underway.  

just FYI...I'm going to be out for several hours soon, but will try to stay/keep posted. thanks for your quick responses thus far.
Jarrod AdamsconsultantAuthor Commented:
2nd sfc scannow done...2mb and 1254 pages...
Jarrod AdamsconsultantAuthor Commented:
Only 19,000 lines or so when viewed in XL.  
I'll check back late tonight.
JohnBusiness Consultant (Owner)Commented:
Let us know. SFC logs are not always conclusive (which is why I said run twice) and the logs are long and not helpful to pin point problems. But often SFC fixes things.

I have a Windows 8.1 Pro 64-bit ThinkPad and it talks reliably to Servers 2003, 2008 and 2012. So it should work for you.

Let us know about the new test user.
Jarrod AdamsconsultantAuthor Commented:
Sfc /scannow didn't change anything with regard to this user's shared file access from this computer.

Is there a way to reset the local group policy (I'm sure I am using the wrong terminology there)?

Considering changing the computer name and/or removing it from the domain and then rejoining. Any thoughts?
JohnBusiness Consultant (Owner)Commented:
Before removing from the domain, just try another user profile and see if that works.
Jarrod AdamsconsultantAuthor Commented:
Clarification needed...I've tried logging into the workstation under a different user profile, and sharing works properly for the other user.  
Is this what you are referring to, or do you want me to delete his user i.d. from this computer and recreate it to see if the recreated user i.d. responds properly to the shares?
JohnBusiness Consultant (Owner)Commented:
sharing works properly for the other user.    ....  Is this what you are referring to, or do you want me to delete his user i.d. from this computer and recreate it to see if the recreated user i.d.

Yes. If sharing works properly for the new user name, then backup the contents of the problem userid, delete it, and re-create it.  That will solve your problem.
Jarrod AdamsconsultantAuthor Commented:
OK thanks...I'll keep you posted.
Jarrod AdamsconsultantAuthor Commented:
Here's where I'm at...
I created a new user steven2, and tried to sign in with this user account.  I got an error that "The trust relationship between this workstation and the primary domain failed"

I CAN sign into steven2 from another win7 and win8.1 workstation on the network with no problem and access to shared server folders is as it should be with full control...

Side detail:
Our primary domain controller failed last week, and this newer server is our secondary domain controller.  The primary domain controller has been up under safe mode with networking and accessible and pingable, but obviously not an ideal situation.  I've been trying to get things backed up and transferred before complicating things with a server promotion. Maybe I should promote?
JohnBusiness Consultant (Owner)Commented:
I've been trying to get things backed up and transferred before complicating things with a server promotion. Maybe I should promote?

That certainly is new information. I cannot advise when you should do your server promotion within your overall plan, but it should probably be complete before troubleshooting this any further given the trust relationship error you got.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jarrod AdamsconsultantAuthor Commented:
Yep, it was the server promotion that fixed it.  I really did not intend to bury the lead with this question but it turns out I did.
It was the old server causing a replication error. Why it only noticeably affected one user on one machine is anyone's guess. Maybe that's why I can love, and hate, them so much.

Turned off the old server and forcibly promoted the new one and demote/deleted the old and everything began to hum again.  I had to remove and rejoin the workstation to the domain in order to correct the computer conflict in active directory, but it immediately started to behave appropriately.
JohnBusiness Consultant (Owner)Commented:
Thanks for the update and I was happy to work with you on this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.