Win Server Security: Why do members of a group not get access when the Group has permission?
At a guess, I would say that group membership hasn't been established yet.
When you establish an SMB connection with a server, that's when the server determines which groups you are a part of. Changes to group membership won't take effect until the SMB connection is reset. Use the whoami tool to verify this.
> whoami /groups
You can get a list of open sessions using the Share and Storage Management administrative tool, and you can even close an SMB session right there, which makes testing much faster.
Update: It is usually a good idea to only assign permissions at the NTFS level. Try changing your share permissions to allow "Full Control" for "Everyone" to eliminate one possible cause.
Related videos on Youtube
10 : 54
04 : 55
15 : 11
13 : 55
16 : 49
Russ
Updated on September 17, 2022Comments
-
Russ over 1 year
Environment: No Active Directory and no Domain Controller. Server is Win 2008
I have a directory with only ALLOW permissions set (no DENY permission)..and no inherited permissions. I have two groups(Administrators and CoOwners) set to Full control. However, the members of that group are not able to view/modify the folder.
If I explicitly add the 'Administrator' with full permissions, for example, then that user can access/modify fine. Why isn't giving the GROUP permission giving the members of that group the access I would expect?
Any input/suggestions are appreciated.
-
Nic about 13 yearsAre you testing this over the network or from an interactive logon?
-
Zoredache about 13 yearsIn your testing, I am guessing you added users to the CoOwners group? Did you logout and login again? Groups membership is only checked when the user first logs in / connects.
-
Russ about 13 yearsLogin/logout from what? Reboot the server(ugh) or the machine I'm trying to access from(Server or Win7 or XP)?
-
John Gardeniers about 13 yearsWhat are the permissions on the parent folders? Are these users or groups permitted to traverse the tree to reach the target?
-
Nic about 13 yearsRuss, can you post screenshots of your share permissions and NTFS permissions on the shared folder? (And regarding the comment by Zoredache, rebooting either the client OR server should do the trick.)
-
Russ about 13 years@Zoredache: Yes, I have logged out and logged in again to the server. Note that I am doing this via RDC and not local. @John: Well, all folders have full access to ADMINISTRATORS by default and I have confirmed this. @Nic: For the screenshots, you would end up needing a few, right? This folder, the parent folder, Administrators group, etc. If this is required, I'll have to edit each screenshot to blur names, etc.
-
-
ErnieTheGeek about 13 yearsLess emoticons and more answer in the future.
-
Nic about 13 yearsI'm sorry, this is incorrect. Not all operating systems have group policy; maybe you're thinking of ACLs? Top level permissions will apply to the descendents when inheritance is enabled, but they never "override" lower levels.
-
Hasan Manzak about 13 yearsi was talking about windows operating systems.was i wrong?actually,yes,sorry,advanced security options came with ntfs and my assumption covers win2k and after.and by top-level,i must be wrote upside-down,i was mentioning not base but derived policies.like if a "group" policy is low-level,a "user" policy will be top-level (and this should be reversed if i'm wrong).so if there is no ownership and no specific permission,the policy will be defaultly 'deny' right?so this is my base (low level).and if i enter a user right (this is my top level) it overrides base and runs the actual user right,right?
-
Russ about 13 yearsI am using Win Server 2008. I wonder if there is any conflict between 'Permissions' and 'Sharing options'. Both are only trying to give access to the folder to Administrators and CoOwners. Note that I am accessing the WinServer2008 shared folder from the WinServer2008 machine, a Win7 machine, and an XP machine.
-
hmallett about 13 yearsNot a clear answer, though I do like the idea of "lover-level policies". @ErnieTheGeek, you mean "fewer emoticons", not "less emoticons". ;)
-
Nic about 13 yearsIf you've set up the ACL on your shared folder so that "CoOwners" has full control, then you want to make sure that "CoOwners" also appears in
whoami. -
ErnieTheGeek about 13 years@hmallett: Too right, I do mean fewer, darn grammar nazi :P. @Russ: I generally configure the share permissions to give everyone full access and customize the NTFS permissions to restrict/allow access.
-
Russ about 13 yearsHmm..that's an interesting point. I have the share permissions only allowing access to the defined group...not 'everyone'. Is this a common approach? Setting all shares to everyone and control access via NTFS permissions? My problem may lie in this area.
