Home / server / Questions / 171130
Accepted
Eric
Asked: 2010-08-17 10:53:41 +0800 CST

Win2003 Folder sharing : Group permissions not working while user permissions work

  • 772

I'm very new to windows server. I'm a software engineer but since we don't have a real sysadmin I'm supposed to figure out everything that is slightly computer related (you know how it is...).

I need to set permissions for a group on a specified folder. It works for a single user. I set both the sharing and security permissions for the user and only this user can access the folder. I'd like to manage multiple users with groups instead of adding each user individualy.

So I fire up Active Directory Users and Computers console, Create a group then drag all the wanted users in the group. The "Members" tab shows everyone correctly.

I try to repeat the steps where I add the users to the folder permission/security but the users can't access it. When a user, member of the group, on a remote machine, tries to access the folder, it says that the user does not have the permission to access that folder.

Edit :

There is no sharing permission/ntfs security setting to deny anywhere for that folder.
In sharing permissions there is my new group and the original owner of the folder (single user). In the security tab there are the default users/groups

  • Administrators
  • USers
  • CREATOR OWNER
  • SYSTEM

Also there are the original owner and my new group

windows-server-2003 network-share security file-sharing permissions

3 Answers

  1. Best Answer

    Presumably you're not playing around with "Deny" entries and you're just adding permissive "XXX Group / Read and Execute" type permissions (or something similar). If you are playing around with "Deny" permissions, stop doing so. Concentrate on granting permission to the resource. Anyone not named in the permission is implicitly denied access, so you don't need to put in any "Deny" entries (except in corner-cases which, typically, aries because of bad folder hierarchy and permission design).

    After you've added the user to the group you'll need them to logoff and logon again for the updated group membership to take effect. Have you had the affected do that?

    It's not necessary to have them logoff and logon again when you change the permissions, but the user's group membership list is only built at logon.

    • 2

  2. I'm going to suggest the obvious answers/things to test first, because you don't specify them.

    • What other permissions are present on this resource when you do the test with a group?
    • You're not leaving the user's entries in place but switching them to deny, are you?

    The reason I ask is that a deny, for example, would always overrule an allowed access.

    • 1

  3. Four things.

    1. Double check your share permissions, in addition to your NTFS permissions. If people are logging in remotely the FIRST place they will run into authorization problems is in the share permissions.
    2. Have you tried using the "Effective Permissions" tab in the Advanced section of the security setup? This can be a helpful tool for diagnosing these kinds of problems.
    3. Have you given time for replication to take place? This may not matter if you are in a sufficiently small AD environment, but strange things can appear to happen if you are making changes on one DC and the users are authentication off a different one.
    4. Users need to log off of the domain and then back in again in order to pick up the new group membership. In most cases this will actually involve logging all the way off of their computers in order to get a new access token.
    • 1