User appears to have different file and folder permissions over VPN!!!

Hi Folks,
This has me stumped and I need to resolve before Monday.

I have a Single Server 2012 R2 Essentials box (upgraded to Standard as we went over the 25 user count) It has an SSTP VPN service that has been operational for some time. We are about to apply some Security Groups to control how various teams and individuals access folders on the server. No problem you would have thought.

Well I have discovered that if a user (Lets call her Vanessa) is logged in directly on the domain (on site through a PC)  then my permissions are honored. If Vanessa logs into the domain (remote PC through a VPN) then the permissions are not honored.

So if I have a folder structure of \\Server\ShareName\Folder (E:\SharedFolders\Folder on local server) with permissions for CreatorOwner, System, a local Admin and Administrators Group. When Vanessa (Standard user) accesses \\Server\ShareName\Folder when logged in locally on the network, she is presented with the 'You don't have permissions . . .' message. Where as if I log in as Vanessa from my PC over an SSTP VPN then I can access that folder.

Can anyone through any light on this??
Does the VPN service use a proxy that needs to be setup to use the authenticating users details ?? All of the reading I have done so far says that the VPN authenticated user has the same permissions on the server as when authenticating locally.

Help . .  running out of time !!!!

Regards
TrevorWhiteIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ben HartCommented:
You are correct, a user authenticating via Vpn are treated identically to an in house user.
This is only affecting a single user right? If so have you tried creating her a new account and see if the problem persists? Does it happen regardless of what of Vanessa uses vpn on?
TrevorWhiteIT ConsultantAuthor Commented:
Hi Ben,
No the access can be repeated for other users defined in the AD of the host domain.
I have determined something else too since I posted earlier.

I was connecting by VPN from my PC which is not a member of the domain, I connected with Vanessa credentials (including domain) but my network is a different domain. I took one of the company laptops which is a member of the host domain and connected using that users credentials (tested these before on my PC and could access the folder) When I connect from this PC the permissions are honored. This begs the question 'What permissions are in effect when a foreign PC connects to a domain host with correct domain credentials' ???

I could do with a means of determining what permissions are allowing me access to the folder. When ever I try to look at effective permissions on my PC for access to a domain folder it says it cannot provide them.

Any help would be good, thanks

Regards
TrevorWhiteIT ConsultantAuthor Commented:
OK I have resolved this.
I had an entry in my local PC password vault for an Administrator on the host domain.
Silly really . .  should have seen that.

I'll close this question.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Ben HartCommented:
Unless there are gpos in the mix, the permissions applied using a non domain joined versus domain joined when using domain credentials should be the same.
Ben HartCommented:
Oh wow that was a lucky find on a seriously tricky issue.
TrevorWhiteIT ConsultantAuthor Commented:
I'm not looking to award points to me, just want to close this question down properly.
The reason I was seeing access to the folder when I believed I should not have had access was because I had previously entered admin credentials for that domain which had become stored in my Windows Password Vault. Removing these stopped the VPN access from access the folder.

All good.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.