Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

I need to find out what effective permissions have been applied to a share on my sbs 2008 server

Posted on 2016-11-08
7
Medium Priority
?
78 Views
Last Modified: 2016-11-12
In AD .

I have a company\partner  share .  
I have assigned 3 users to a group called partners
I have given the group full rights to partner share
but when I try to access the share as one of the users
I am getting a message saying I do not have permission to access .
I am not sure if another admin has setup permissions separately which is more restrictive .
This was working a few days ago .
How do I check this ?
When I checked the share from the server
under security the users are given rights to the share individually AND the partner group there of which they are members
why isnt it giving the correct permissions ?
Can AD be malfunctioning ? How can I check ?
0
Comment
Question by:Andre P
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41879899
Access to a share is controlled by two things. Share permissions and NTFS permissions. The most restrictive permissions apply. I follow the old proactive of having everyone full permissions on the share, and then set the effective permissions via NTFS.

Here's how to set/check NTFS permissions.

http://www.ntfs.com/ntfs-permissions-setting.htm
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41879916
Have you added partner group "Modify" share permissions on sharing tab, else this is what expected
0
 

Author Comment

by:Andre P
ID: 41879954
It has full permissions .
so does the permissions on the directory. .what could over write that and give me access denied message when logging in as a member of partner share ?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 37

Expert Comment

by:Mahesh
ID: 41879960
how you are trying to access share with member of partner group?

Are you logging on to workstation with account having partner group membership?

What is happening in that case?
Because you have added partner group on share tab and individual user on NTFS tab

Also try adding partner group on NTFS tab with required permissions

also logon to server with account having local admin member and check partner group and it members for effective access from shared folder NTFS permissions\advanced properties\effective access tab

If wanted, to you may take folder ownership for admin ID and then remove and add partner group again on share and NTFS tabs with required permissions
You can use MS tool called Subinacl to take folder ownership without destroying existing folder permissions
Check below article for Subinacl commands
https://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 750 total points
ID: 41879999
Three things:
1 NTFS permissions can be read out (and published here) using
icacls c:\yourfolder
2 share permissions like this:
net share yoursharenamehere
->Publish the output of both here.
3 "Share permissions and NTFS permissions - The most restrictive permissions apply" is not entirely correct. It is mostly correct, but it has exceptions, please see https://www.experts-exchange.com/questions/22108365/NTFS-and-share-permissions-I-found-a-difference-where-there-should-not-be-any.html
0
 
LVL 30

Accepted Solution

by:
Thomas Zucker-Scharff earned 750 total points
ID: 41882652
Netwrix has a free tool to check permissions (https://www.netwrix.com/netwrix_effective_permissions_reporting_tool.html).
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41884522
Andre, please report what you achieved with the netwrix tool and if it can really provide the same info as the commands I listed.
Also, I wonder if it notices the "exception to the rule" which I also linked. I guess I'll have to try it.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
How does someone stay on the right and legal side of the hacking world?
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question