Saturday, January 29, 2011

Can't access windows share when in security group assigned to share

I'm a bit stumpped on this one.

I created a security group in AD called "special data users" and add myself to it.

I then created a share on a server and give that AD security group full access to the share.

If i try to access the share I cannot and get a permission denied error.

If i add my user account directly to the share or add a different security group that's been around for years that I'm a member of it works fine.

Any tips or suggestions on what to look for why this new group doesn't work would be appreciated. I've looked high and low and can't figure out why any new security group created doesn't work...

Thanks!

From serverfault AlanBarber

  • I'm not sure this would be your problem, but I've been burnt by it in the past. How many groups (including nested groups) is your account a member of? You may have just passed an AD limitation. There is a limitation on group memberships due to the Kerberos ticket size in AD. Here's more reading from Technet on some AD limitations. Check out info under the Group Memberships for Security Principals heading.

    To check if this might be the case, create a new account and add it to your new group and see if that account can access the share.

    From squillman

  • Make sure that you've assigned read permissions to that "Special Data User" both on Security tab and in Sharing -> Permissions.

    Also you need to re-login once you added user to a new group.

    From Regent

  • I recommend you setup share permissions as follows to avoid confusion:

    On the share permissions themselves:

    DOMAIN ADMINS = Full Control

    Everyone= Write/Read

    Then on the NTFS security permissions:

    DOMAIN ADMINS = FUll Control

    and then set the NTFS security for others based on need.

    By doing that you will avoid problems with share permissions overriding NTFS permissions.

    Tubs : It would be better to use "Authenticated Users" instaed of "Everyone".
    TheCleaner : @Tubs - It's theoretically the same thing ever since XP and 2003...see here: http://support.microsoft.com/kb/278259
    From TheCleaner

  • What type of Group have you created? It does make a difference if they are Domain Local, Global or Universal.

    AlanBarber : It is a global security group
    Tubs : Try it as a Universal security hgroup and see if that works.
    From Tubs

  • When you added yourself to the group, did you log out of your workstation and log back in? Security Group membership is a component of the access token granted to your user ID at logon and changing group membership requires a log out and log in order to get a new access token that reflects the new membership.

    From joeqwerty

  • Alan,

    You have to logoff and log back on again as Joe and Regent have indicated.

    -ASB

    From $pageUsers[$post.author].name
Posted by Ku XI at 5:24 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)