The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.
User appears to have different file and folder permissions over VPN!!!
Hi Folks,
This has me stumped and I need to resolve before Monday.
I have a Single Server 2012 R2 Essentials box (upgraded to Standard as we went over the 25 user count) It has an SSTP VPN service that has been operational for some time. We are about to apply some Security Groups to control how various teams and individuals access folders on the server. No problem you would have thought.
Well I have discovered that if a user (Lets call her Vanessa) is logged in directly on the domain (on site through a PC) then my permissions are honored. If Vanessa logs into the domain (remote PC through a VPN) then the permissions are not honored.
So if I have a folder structure of \\Server\ShareName\Folder (E:\SharedFolders\Folder on local server) with permissions for CreatorOwner, System, a local Admin and Administrators Group. When Vanessa (Standard user) accesses \\Server\ShareName\Folder when logged in locally on the network, she is presented with the 'You don't have permissions . . .' message. Where as if I log in as Vanessa from my PC over an SSTP VPN then I can access that folder.
Can anyone through any light on this??
Does the VPN service use a proxy that needs to be setup to use the authenticating users details ?? All of the reading I have done so far says that the VPN authenticated user has the same permissions on the server as when authenticating locally.
Help . . running out of time !!!!
Regards
This has me stumped and I need to resolve before Monday.
I have a Single Server 2012 R2 Essentials box (upgraded to Standard as we went over the 25 user count) It has an SSTP VPN service that has been operational for some time. We are about to apply some Security Groups to control how various teams and individuals access folders on the server. No problem you would have thought.
Well I have discovered that if a user (Lets call her Vanessa) is logged in directly on the domain (on site through a PC) then my permissions are honored. If Vanessa logs into the domain (remote PC through a VPN) then the permissions are not honored.
So if I have a folder structure of \\Server\ShareName\Folder (E:\SharedFolders\Folder on local server) with permissions for CreatorOwner, System, a local Admin and Administrators Group. When Vanessa (Standard user) accesses \\Server\ShareName\Folder when logged in locally on the network, she is presented with the 'You don't have permissions . . .' message. Where as if I log in as Vanessa from my PC over an SSTP VPN then I can access that folder.
Can anyone through any light on this??
Does the VPN service use a proxy that needs to be setup to use the authenticating users details ?? All of the reading I have done so far says that the VPN authenticated user has the same permissions on the server as when authenticating locally.
Help . . running out of time !!!!
Regards
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Hi Ben,
No the access can be repeated for other users defined in the AD of the host domain.
I have determined something else too since I posted earlier.
I was connecting by VPN from my PC which is not a member of the domain, I connected with Vanessa credentials (including domain) but my network is a different domain. I took one of the company laptops which is a member of the host domain and connected using that users credentials (tested these before on my PC and could access the folder) When I connect from this PC the permissions are honored. This begs the question 'What permissions are in effect when a foreign PC connects to a domain host with correct domain credentials' ???
I could do with a means of determining what permissions are allowing me access to the folder. When ever I try to look at effective permissions on my PC for access to a domain folder it says it cannot provide them.
Any help would be good, thanks
Regards
No the access can be repeated for other users defined in the AD of the host domain.
I have determined something else too since I posted earlier.
I was connecting by VPN from my PC which is not a member of the domain, I connected with Vanessa credentials (including domain) but my network is a different domain. I took one of the company laptops which is a member of the host domain and connected using that users credentials (tested these before on my PC and could access the folder) When I connect from this PC the permissions are honored. This begs the question 'What permissions are in effect when a foreign PC connects to a domain host with correct domain credentials' ???
I could do with a means of determining what permissions are allowing me access to the folder. When ever I try to look at effective permissions on my PC for access to a domain folder it says it cannot provide them.
Any help would be good, thanks
Regards
OK I have resolved this.
I had an entry in my local PC password vault for an Administrator on the host domain.
Silly really . . should have seen that.
I'll close this question.
I had an entry in my local PC password vault for an Administrator on the host domain.
Silly really . . should have seen that.
I'll close this question.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Unless there are gpos in the mix, the permissions applied using a non domain joined versus domain joined when using domain credentials should be the same.
I'm not looking to award points to me, just want to close this question down properly.
The reason I was seeing access to the folder when I believed I should not have had access was because I had previously entered admin credentials for that domain which had become stored in my Windows Password Vault. Removing these stopped the VPN access from access the folder.
All good.
The reason I was seeing access to the folder when I believed I should not have had access was because I had previously entered admin credentials for that domain which had become stored in my Windows Password Vault. Removing these stopped the VPN access from access the folder.
All good.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
This is only affecting a single user right? If so have you tried creating her a new account and see if the problem persists? Does it happen regardless of what of Vanessa uses vpn on?