Avatar of TrevorWhite
TrevorWhite
Flag for United Kingdom of Great Britain and Northern Ireland asked on

User appears to have different file and folder permissions over VPN!!!

Hi Folks,
This has me stumped and I need to resolve before Monday.

I have a Single Server 2012 R2 Essentials box (upgraded to Standard as we went over the 25 user count) It has an SSTP VPN service that has been operational for some time. We are about to apply some Security Groups to control how various teams and individuals access folders on the server. No problem you would have thought.

Well I have discovered that if a user (Lets call her Vanessa) is logged in directly on the domain (on site through a PC)  then my permissions are honored. If Vanessa logs into the domain (remote PC through a VPN) then the permissions are not honored.

So if I have a folder structure of \\Server\ShareName\Folder (E:\SharedFolders\Folder on local server) with permissions for CreatorOwner, System, a local Admin and Administrators Group. When Vanessa (Standard user) accesses \\Server\ShareName\Folder when logged in locally on the network, she is presented with the 'You don't have permissions . . .' message. Where as if I log in as Vanessa from my PC over an SSTP VPN then I can access that folder.

Can anyone through any light on this??
Does the VPN service use a proxy that needs to be setup to use the authenticating users details ?? All of the reading I have done so far says that the VPN authenticated user has the same permissions on the server as when authenticating locally.

Help . .  running out of time !!!!

Regards
VPNWindows Server 2012Active Directory

Avatar of undefined
Last Comment
TrevorWhite

8/22/2022 - Mon
Ben Hart

You are correct, a user authenticating via Vpn are treated identically to an in house user.
This is only affecting a single user right? If so have you tried creating her a new account and see if the problem persists? Does it happen regardless of what of Vanessa uses vpn on?
TrevorWhite

ASKER
Hi Ben,
No the access can be repeated for other users defined in the AD of the host domain.
I have determined something else too since I posted earlier.

I was connecting by VPN from my PC which is not a member of the domain, I connected with Vanessa credentials (including domain) but my network is a different domain. I took one of the company laptops which is a member of the host domain and connected using that users credentials (tested these before on my PC and could access the folder) When I connect from this PC the permissions are honored. This begs the question 'What permissions are in effect when a foreign PC connects to a domain host with correct domain credentials' ???

I could do with a means of determining what permissions are allowing me access to the folder. When ever I try to look at effective permissions on my PC for access to a domain folder it says it cannot provide them.

Any help would be good, thanks

Regards
ASKER CERTIFIED SOLUTION
TrevorWhite

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Ben Hart

Unless there are gpos in the mix, the permissions applied using a non domain joined versus domain joined when using domain credentials should be the same.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Ben Hart

Oh wow that was a lucky find on a seriously tricky issue.
TrevorWhite

ASKER
I'm not looking to award points to me, just want to close this question down properly.
The reason I was seeing access to the folder when I believed I should not have had access was because I had previously entered admin credentials for that domain which had become stored in my Windows Password Vault. Removing these stopped the VPN access from access the folder.

All good.