Server is Win 2008r2, non-domain.
Client is Windows 7.
User XYZ on client has matching account on server in group Users.
Credentials for server account for XYZ are stored in credential manager on client.
Server has Drive X: and the entire drive is shared as SHARE1 Under Sharing user XYZ is explicitly included in users for SHARE1. Under Security, Group "Everyone" has Read/Execute rights. Group "Users (server/users)" has Full Control. Client can automatically log in to \server and access \server\SHARE1 using stored credentials.
My expectation is that since XYZ is a member of group Users on the server, accessing SHARE1 from the client machine would have Full Control permissions. The actual result it that user XYZ has only Read/Execute permissions (presumably from the Everyone group), and has Access Denied when trying to write.
What am I missing? What tools can I use to diagnose this type of problem?
When accessing shared folders over the network, the combination of Share and NTFS permissions govern what level of access the user will have to the files and folders within the Share. The most restrictive permissions "win".
In your case, the Share permissions are Read and Execute. These are the more restrictive of the Share and NTFS permissions combination and therefore are the "winning" permissions and govern what level of access the user has to the files and folders within the Share.
The easiest solution is to set the Share permissions to Full Control for your users/groups and then govern access with the NTFS permissions.