I have a Win 2008 R2 Server set up as a Domain Controller. I have configured shared folders for each user (manual set up, as there are only 4 users). On each share, ownership of the folder has been assigned to the user and permissions on the folder and security for all files set for Full Control rights for the user. ICACLS confirms that for all files, the user has full control.
I have one user accessing his share from a Win 7 Pro machine that is not part of the domain, and so is connecting using the "Connect as another user" option (using his domain account). He can access some of the files, but on others receives an "Access denied" message.
My next move is to grant Everyone Full Control access to the files and just rely on the share permissions to limit access - please save me from this evil!
If you run AccessEnum against that user's shared folder, does it show any changes to permissions deeper in the hierarchy? By default this tool shows only files which have more lax permissions than the parent, so try going to Options → "File display options" and choosing "Display files with permissions that differ from parent".
At worst this will rule out any problems with ACLs on the file system; at best, it might uncover a file permissions problem that went unnoticed.
Although the user is not part of the domain, it does not preclude them for connecting to domain resources as "domain"\"account" (e.g. domain-name\user-account) - is that occurring?