Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
User appears to have different file and folder permissions over VPN!!!
Hi Folks,
This has me stumped and I need to resolve before Monday.
I have a Single Server 2012 R2 Essentials box (upgraded to Standard as we went over the 25 user count) It has an SSTP VPN service that has been operational for some time. We are about to apply some Security Groups to control how various teams and individuals access folders on the server. No problem you would have thought.
Well I have discovered that if a user (Lets call her Vanessa) is logged in directly on the domain (on site through a PC) then my permissions are honored. If Vanessa logs into the domain (remote PC through a VPN) then the permissions are not honored.
So if I have a folder structure of \\Server\ShareName\Folder (E:\SharedFolders\Folder on local server) with permissions for CreatorOwner, System, a local Admin and Administrators Group. When Vanessa (Standard user) accesses \\Server\ShareName\Folder when logged in locally on the network, she is presented with the 'You don't have permissions . . .' message. Where as if I log in as Vanessa from my PC over an SSTP VPN then I can access that folder.
Can anyone through any light on this??
Does the VPN service use a proxy that needs to be setup to use the authenticating users details ?? All of the reading I have done so far says that the VPN authenticated user has the same permissions on the server as when authenticating locally.
Help . . running out of time !!!!
Regards
This has me stumped and I need to resolve before Monday.
I have a Single Server 2012 R2 Essentials box (upgraded to Standard as we went over the 25 user count) It has an SSTP VPN service that has been operational for some time. We are about to apply some Security Groups to control how various teams and individuals access folders on the server. No problem you would have thought.
Well I have discovered that if a user (Lets call her Vanessa) is logged in directly on the domain (on site through a PC) then my permissions are honored. If Vanessa logs into the domain (remote PC through a VPN) then the permissions are not honored.
So if I have a folder structure of \\Server\ShareName\Folder (E:\SharedFolders\Folder on local server) with permissions for CreatorOwner, System, a local Admin and Administrators Group. When Vanessa (Standard user) accesses \\Server\ShareName\Folder when logged in locally on the network, she is presented with the 'You don't have permissions . . .' message. Where as if I log in as Vanessa from my PC over an SSTP VPN then I can access that folder.
Can anyone through any light on this??
Does the VPN service use a proxy that needs to be setup to use the authenticating users details ?? All of the reading I have done so far says that the VPN authenticated user has the same permissions on the server as when authenticating locally.
Help . . running out of time !!!!
Regards
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You are correct, a user authenticating via Vpn are treated identically to an in house user.
This is only affecting a single user right? If so have you tried creating her a new account and see if the problem persists? Does it happen regardless of what of Vanessa uses vpn on?
This is only affecting a single user right? If so have you tried creating her a new account and see if the problem persists? Does it happen regardless of what of Vanessa uses vpn on?
Hi Ben,
No the access can be repeated for other users defined in the AD of the host domain.
I have determined something else too since I posted earlier.
I was connecting by VPN from my PC which is not a member of the domain, I connected with Vanessa credentials (including domain) but my network is a different domain. I took one of the company laptops which is a member of the host domain and connected using that users credentials (tested these before on my PC and could access the folder) When I connect from this PC the permissions are honored. This begs the question 'What permissions are in effect when a foreign PC connects to a domain host with correct domain credentials' ???
I could do with a means of determining what permissions are allowing me access to the folder. When ever I try to look at effective permissions on my PC for access to a domain folder it says it cannot provide them.
Any help would be good, thanks
Regards
No the access can be repeated for other users defined in the AD of the host domain.
I have determined something else too since I posted earlier.
I was connecting by VPN from my PC which is not a member of the domain, I connected with Vanessa credentials (including domain) but my network is a different domain. I took one of the company laptops which is a member of the host domain and connected using that users credentials (tested these before on my PC and could access the folder) When I connect from this PC the permissions are honored. This begs the question 'What permissions are in effect when a foreign PC connects to a domain host with correct domain credentials' ???
I could do with a means of determining what permissions are allowing me access to the folder. When ever I try to look at effective permissions on my PC for access to a domain folder it says it cannot provide them.
Any help would be good, thanks
Regards
OK I have resolved this.
I had an entry in my local PC password vault for an Administrator on the host domain.
Silly really . . should have seen that.
I'll close this question.
I had an entry in my local PC password vault for an Administrator on the host domain.
Silly really . . should have seen that.
I'll close this question.
Unless there are gpos in the mix, the permissions applied using a non domain joined versus domain joined when using domain credentials should be the same.
I'm not looking to award points to me, just want to close this question down properly.
The reason I was seeing access to the folder when I believed I should not have had access was because I had previously entered admin credentials for that domain which had become stored in my Windows Password Vault. Removing these stopped the VPN access from access the folder.
All good.
The reason I was seeing access to the folder when I believed I should not have had access was because I had previously entered admin credentials for that domain which had become stored in my Windows Password Vault. Removing these stopped the VPN access from access the folder.
All good.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial