Weird File Share Issue

  • 222 Views
  • Last Post 13 January 2020
webster posted this 07 January 2020

Windows Server 2012 R2 file server Forest/Domain mode Server 2008 R2 There is a Forest Trust in place, but I don't think it is relevant to this issue.   Create a share on the file server "share name" Give Everyone FC to the share Give an AD security group FC to NTFS permissions   A user in the security group attempts to access the share "\server\share name" (yes a space) and gets access denied. [I also tested with a share name with no spaces, and have the same access issue.] Give a regular user account (who is in the security group) FC to NTFS permissions and they can access the share. When viewing Effective Access for the security group on the share, it shows all permissions as Access limited by the Share. Adding the user account with FC to the share and Effective Access shows all permissions with a green checkmark. Adding the security group to the Share permissions with FC makes no difference.   Any ideas why adding a security group to NTFS permissions doesn't allow access and shows access is limited by the Share?   Thanks     Carl Webster

Order By: Standard | Newest | Votes
webster posted this 07 January 2020

Access-based Enumeration is not enabled.

There are no users from the trusted forest in the security group used for access.

 



Thanks

 

 

Carl Webster



 

show

kurtbuff posted this 07 January 2020

No deny ACEs anywhere?
That's all I can think of.
Kurt


show

webster posted this 07 January 2020

Nope, no Denys.

 

Thanks

 

 

Carl Webster

 

show

barkills posted this 07 January 2020

Logon over the network user right on the file server?

 

show

webster posted this 07 January 2020

Computer Configuration/Windows Settings/Security Setting/Local Policies/User Rights Assignment/Access this computer from the network: Everyone,Administrators,Users

 

Deny access to this computer from the network: blank

 



Thanks

 

 

Carl Webster



 

show

hcoleman posted this 07 January 2020

Does it make a difference if the group is a local group on the file server instead of a domain group? Wondering if the file server’s computer object has rights to enumerate the domain group membership.

 

show

rwilper posted this 07 January 2020

Have you tried “Authenticated Users” instead of “Everyone”

 

-Ross

 

show

webster posted this 07 January 2020

Yes.

 



Thanks

 

 

Carl Webster



 

show

PARRIS posted this 07 January 2020

Is it the only security group on the share?




Are you suffering from non-canonical ordering and hitting a deny in the group that is not applied as a user?












Regards,



 

Mark

 

Mark Parris

BSc (Hons) | MBCS | MCMI, fCMgr.

Identity & Technology Management



Mobile: +44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx



 

show

webster posted this 07 January 2020

It is the only security group in the share's NTFS permissions.

 



Thanks

 

 

Carl Webster



 

show

gazzadownunder posted this 07 January 2020

Are using a dns cname as the server name?
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 2:56, Webster<webster@xxxxxxxxxxxxxxxx> wrote:

Windows Server 2012 R2 file server Forest/Domain mode Server 2008 R2 There is a Forest Trust in place, but I don't think it is relevant to this issue.   Create a share on the file server "share name" Give Everyone FC to the share Give an AD security group FC to NTFS permissions   A user in the security group attempts to access the share "\server\share name" (yes a space) and gets access denied. [I also tested with a share name with no spaces, and have the same access issue.] Give a regular user account (who is in the security group) FC to NTFS permissions and they can access the share. When viewing Effective Access for the security group on the share, it shows all permissions as Access limited by the Share. Adding the user account with FC to the share and Effective Access shows all permissions with a green checkmark. Adding the security group to the Share permissions with FC makes no difference.   Any ideas why adding a security group to NTFS permissions doesn't allow access and shows access is limited by the Share?   Thanks     Carl Webster

webster posted this 07 January 2020

No. Just verified it is a plain ole A record.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

Is the user in the same domain as the file server, and the security group type i.e dl/g?
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:08, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv4787689250 #yiv4787689250 --



_filtered {}

_filtered {}

#yiv4787689250

#yiv4787689250 p.yiv4787689250MsoNormal, #yiv4787689250 li.yiv4787689250MsoNormal, #yiv4787689250 div.yiv4787689250MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv4787689250 a:link, #yiv4787689250 span.yiv4787689250MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv4787689250 p.yiv4787689250msonormal, #yiv4787689250 li.yiv4787689250msonormal, #yiv4787689250 div.yiv4787689250msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv4787689250 span.yiv4787689250EmailStyle28

{font-family:sans-serif;color:windowtext;}

#yiv4787689250 .yiv4787689250MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv4787689250 div.yiv4787689250WordSection1

{}

#yiv4787689250



No. Just verified it is a plain ole A record.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 07 January 2020

Yes, the security group is a global group and contains no members from the trusted forest.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

If you add rights for an admin user of the server to the share and ntfs permissions, can they access the share?
Might be worth looking at https://nettools.net/unc-check/ it might help identify what is failing
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:15, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv5478308355 #yiv5478308355 --



_filtered {}

_filtered {}

#yiv5478308355

#yiv5478308355 p.yiv5478308355MsoNormal, #yiv5478308355 li.yiv5478308355MsoNormal, #yiv5478308355 div.yiv5478308355MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv5478308355 a:link, #yiv5478308355 span.yiv5478308355MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv5478308355 p.yiv5478308355msonormal, #yiv5478308355 li.yiv5478308355msonormal, #yiv5478308355 div.yiv5478308355msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv5478308355 p.yiv5478308355msonormal3, #yiv5478308355 li.yiv5478308355msonormal3, #yiv5478308355 div.yiv5478308355msonormal3

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv5478308355 span.yiv5478308355EmailStyle29

{font-family:sans-serif;color:windowtext;}

#yiv5478308355 .yiv5478308355MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv5478308355 div.yiv5478308355WordSection1

{}

#yiv5478308355



Yes, the security group is a global group and contains no members from the trusted forest.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 07 January 2020

If we add a non-admin user directly to NTFS permissions, that user can access the share. That user's account is also in the security group.

 

I will check out that tool.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 07 January 2020

UNC Check reports no issues.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

It sounds like the group membership change is not being reflected in the users access token. You can use whoami /groups when logged on as the user to display user's access token, note they will need to logoff and back on to pickup the group change.
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:24, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv0967290314 #yiv0967290314 --



_filtered {}

_filtered {}

#yiv0967290314

#yiv0967290314 p.yiv0967290314MsoNormal, #yiv0967290314 li.yiv0967290314MsoNormal, #yiv0967290314 div.yiv0967290314MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 a:link, #yiv0967290314 span.yiv0967290314MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv0967290314 p.yiv0967290314msonormal, #yiv0967290314 li.yiv0967290314msonormal, #yiv0967290314 div.yiv0967290314msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 p.yiv0967290314msonormal4, #yiv0967290314 li.yiv0967290314msonormal4, #yiv0967290314 div.yiv0967290314msonormal4

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 p.yiv0967290314msonormal31, #yiv0967290314 li.yiv0967290314msonormal31, #yiv0967290314 div.yiv0967290314msonormal31

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 span.yiv0967290314EmailStyle32

{font-family:sans-serif;color:windowtext;}

#yiv0967290314 .yiv0967290314MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv0967290314 div.yiv0967290314WordSection1

{}

#yiv0967290314



If we add a non-admin user directly to NTFS permissions, that user can access the share. That user's account is also in the security group.

 

I will check out that tool.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

Yep this weird, if the unc check passed, running in the context of the user from a remote machine and with the permissions granted via the group, weird! This would indicate that the share permissions are working.
The unc check only does an emun of the specified directory, it doesn't try to open any of the files in the share/directory. Do the users get the access denied error when open a file or just listing the contents of the share?
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:33, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv8516764722 #yiv8516764722 --



_filtered {}

_filtered {}

#yiv8516764722

#yiv8516764722 p.yiv8516764722MsoNormal, #yiv8516764722 li.yiv8516764722MsoNormal, #yiv8516764722 div.yiv8516764722MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 a:link, #yiv8516764722 span.yiv8516764722MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv8516764722 p.yiv8516764722msonormal, #yiv8516764722 li.yiv8516764722msonormal, #yiv8516764722 div.yiv8516764722msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 p.yiv8516764722msonormal4, #yiv8516764722 li.yiv8516764722msonormal4, #yiv8516764722 div.yiv8516764722msonormal4

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 p.yiv8516764722msonormal31, #yiv8516764722 li.yiv8516764722msonormal31, #yiv8516764722 div.yiv8516764722msonormal31

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 span.yiv8516764722EmailStyle32

{font-family:sans-serif;color:windowtext;}

#yiv8516764722 .yiv8516764722MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv8516764722 div.yiv8516764722WordSection1

{}

#yiv8516764722



UNC Check reports no issues.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 08 January 2020

Start Run or Windows Explore,

\server\share
name, boom, access denied.

 

Thanks

 

 

Carl Webster

Citrix Technology Professional Fellow

| IGEL Tech Community Insider | Parallels VIPP

http://www.CarlWebster.com

The Accidental Citrix Admin

 

show

Show More Posts
Close