Weird File Share Issue

  • 134 Views
  • Last Post 13 January 2020
webster posted this 07 January 2020

Windows Server 2012 R2 file server Forest/Domain mode Server 2008 R2 There is a Forest Trust in place, but I don't think it is relevant to this issue.   Create a share on the file server "share name" Give Everyone FC to the share Give an AD security group FC to NTFS permissions   A user in the security group attempts to access the share "\server\share name" (yes a space) and gets access denied. [I also tested with a share name with no spaces, and have the same access issue.] Give a regular user account (who is in the security group) FC to NTFS permissions and they can access the share. When viewing Effective Access for the security group on the share, it shows all permissions as Access limited by the Share. Adding the user account with FC to the share and Effective Access shows all permissions with a green checkmark. Adding the security group to the Share permissions with FC makes no difference.   Any ideas why adding a security group to NTFS permissions doesn't allow access and shows access is limited by the Share?   Thanks     Carl Webster

Order By: Standard | Newest | Votes
webster posted this 07 January 2020

Access-based Enumeration is not enabled.

There are no users from the trusted forest in the security group used for access.

 



Thanks

 

 

Carl Webster



 

show

kurtbuff posted this 07 January 2020

No deny ACEs anywhere?
That's all I can think of.
Kurt


show

webster posted this 07 January 2020

Nope, no Denys.

 

Thanks

 

 

Carl Webster

 

show

barkills posted this 07 January 2020

Logon over the network user right on the file server?

 

show

webster posted this 07 January 2020

Computer Configuration/Windows Settings/Security Setting/Local Policies/User Rights Assignment/Access this computer from the network: Everyone,Administrators,Users

 

Deny access to this computer from the network: blank

 



Thanks

 

 

Carl Webster



 

show

hcoleman posted this 07 January 2020

Does it make a difference if the group is a local group on the file server instead of a domain group? Wondering if the file server’s computer object has rights to enumerate the domain group membership.

 

show

rwilper posted this 07 January 2020

Have you tried “Authenticated Users” instead of “Everyone”

 

-Ross

 

show

webster posted this 07 January 2020

Yes.

 



Thanks

 

 

Carl Webster



 

show

PARRIS posted this 07 January 2020

Is it the only security group on the share?




Are you suffering from non-canonical ordering and hitting a deny in the group that is not applied as a user?












Regards,



 

Mark

 

Mark Parris

BSc (Hons) | MBCS | MCMI, fCMgr.

Identity & Technology Management



Mobile: +44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx



 

show

webster posted this 07 January 2020

It is the only security group in the share's NTFS permissions.

 



Thanks

 

 

Carl Webster



 

show

gazzadownunder posted this 07 January 2020

Are using a dns cname as the server name?
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 2:56, Webster<webster@xxxxxxxxxxxxxxxx> wrote:

Windows Server 2012 R2 file server Forest/Domain mode Server 2008 R2 There is a Forest Trust in place, but I don't think it is relevant to this issue.   Create a share on the file server "share name" Give Everyone FC to the share Give an AD security group FC to NTFS permissions   A user in the security group attempts to access the share "\server\share name" (yes a space) and gets access denied. [I also tested with a share name with no spaces, and have the same access issue.] Give a regular user account (who is in the security group) FC to NTFS permissions and they can access the share. When viewing Effective Access for the security group on the share, it shows all permissions as Access limited by the Share. Adding the user account with FC to the share and Effective Access shows all permissions with a green checkmark. Adding the security group to the Share permissions with FC makes no difference.   Any ideas why adding a security group to NTFS permissions doesn't allow access and shows access is limited by the Share?   Thanks     Carl Webster

webster posted this 07 January 2020

No. Just verified it is a plain ole A record.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

Is the user in the same domain as the file server, and the security group type i.e dl/g?
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:08, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv4787689250 #yiv4787689250 --



_filtered {}

_filtered {}

#yiv4787689250

#yiv4787689250 p.yiv4787689250MsoNormal, #yiv4787689250 li.yiv4787689250MsoNormal, #yiv4787689250 div.yiv4787689250MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv4787689250 a:link, #yiv4787689250 span.yiv4787689250MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv4787689250 p.yiv4787689250msonormal, #yiv4787689250 li.yiv4787689250msonormal, #yiv4787689250 div.yiv4787689250msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv4787689250 span.yiv4787689250EmailStyle28

{font-family:sans-serif;color:windowtext;}

#yiv4787689250 .yiv4787689250MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv4787689250 div.yiv4787689250WordSection1

{}

#yiv4787689250



No. Just verified it is a plain ole A record.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 07 January 2020

Yes, the security group is a global group and contains no members from the trusted forest.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

If you add rights for an admin user of the server to the share and ntfs permissions, can they access the share?
Might be worth looking at https://nettools.net/unc-check/ it might help identify what is failing
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:15, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv5478308355 #yiv5478308355 --



_filtered {}

_filtered {}

#yiv5478308355

#yiv5478308355 p.yiv5478308355MsoNormal, #yiv5478308355 li.yiv5478308355MsoNormal, #yiv5478308355 div.yiv5478308355MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv5478308355 a:link, #yiv5478308355 span.yiv5478308355MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv5478308355 p.yiv5478308355msonormal, #yiv5478308355 li.yiv5478308355msonormal, #yiv5478308355 div.yiv5478308355msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv5478308355 p.yiv5478308355msonormal3, #yiv5478308355 li.yiv5478308355msonormal3, #yiv5478308355 div.yiv5478308355msonormal3

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv5478308355 span.yiv5478308355EmailStyle29

{font-family:sans-serif;color:windowtext;}

#yiv5478308355 .yiv5478308355MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv5478308355 div.yiv5478308355WordSection1

{}

#yiv5478308355



Yes, the security group is a global group and contains no members from the trusted forest.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 07 January 2020

If we add a non-admin user directly to NTFS permissions, that user can access the share. That user's account is also in the security group.

 

I will check out that tool.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 07 January 2020

UNC Check reports no issues.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

It sounds like the group membership change is not being reflected in the users access token. You can use whoami /groups when logged on as the user to display user's access token, note they will need to logoff and back on to pickup the group change.
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:24, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv0967290314 #yiv0967290314 --



_filtered {}

_filtered {}

#yiv0967290314

#yiv0967290314 p.yiv0967290314MsoNormal, #yiv0967290314 li.yiv0967290314MsoNormal, #yiv0967290314 div.yiv0967290314MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 a:link, #yiv0967290314 span.yiv0967290314MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv0967290314 p.yiv0967290314msonormal, #yiv0967290314 li.yiv0967290314msonormal, #yiv0967290314 div.yiv0967290314msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 p.yiv0967290314msonormal4, #yiv0967290314 li.yiv0967290314msonormal4, #yiv0967290314 div.yiv0967290314msonormal4

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 p.yiv0967290314msonormal31, #yiv0967290314 li.yiv0967290314msonormal31, #yiv0967290314 div.yiv0967290314msonormal31

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0967290314 span.yiv0967290314EmailStyle32

{font-family:sans-serif;color:windowtext;}

#yiv0967290314 .yiv0967290314MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv0967290314 div.yiv0967290314WordSection1

{}

#yiv0967290314



If we add a non-admin user directly to NTFS permissions, that user can access the share. That user's account is also in the security group.

 

I will check out that tool.

 

Thanks

 

 

Carl Webster

 

show

gazzadownunder posted this 07 January 2020

Yep this weird, if the unc check passed, running in the context of the user from a remote machine and with the permissions granted via the group, weird! This would indicate that the share permissions are working.
The unc check only does an emun of the specified directory, it doesn't try to open any of the files in the share/directory. Do the users get the access denied error when open a file or just listing the contents of the share?
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 10:33, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv8516764722 #yiv8516764722 --



_filtered {}

_filtered {}

#yiv8516764722

#yiv8516764722 p.yiv8516764722MsoNormal, #yiv8516764722 li.yiv8516764722MsoNormal, #yiv8516764722 div.yiv8516764722MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 a:link, #yiv8516764722 span.yiv8516764722MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv8516764722 p.yiv8516764722msonormal, #yiv8516764722 li.yiv8516764722msonormal, #yiv8516764722 div.yiv8516764722msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 p.yiv8516764722msonormal4, #yiv8516764722 li.yiv8516764722msonormal4, #yiv8516764722 div.yiv8516764722msonormal4

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 p.yiv8516764722msonormal31, #yiv8516764722 li.yiv8516764722msonormal31, #yiv8516764722 div.yiv8516764722msonormal31

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv8516764722 span.yiv8516764722EmailStyle32

{font-family:sans-serif;color:windowtext;}

#yiv8516764722 .yiv8516764722MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv8516764722 div.yiv8516764722WordSection1

{}

#yiv8516764722



UNC Check reports no issues.

 

Thanks

 

 

Carl Webster

 

show

webster posted this 08 January 2020

Start Run or Windows Explore,

\server\share
name, boom, access denied.

 

Thanks

 

 

Carl Webster

Citrix Technology Professional Fellow

| IGEL Tech Community Insider | Parallels VIPP

http://www.CarlWebster.com

The Accidental Citrix Admin

 

show

gazzadownunder posted this 08 January 2020

No idea why unc check passes and opening the share with run/explorer fails, they should be using the same APIs (findfirstfile). One thing, Unc check only checks to see if it can return the first file based on a . search of the share (this is normally the . directory), if there is a permission issue with subsequent files this might explain it.  Unless there something specific with the machine, do you also see the same problem on other machines?
As the share is accessible with permissions applied directly to the user but fails when applied to the group, it sounds like the group is not included in the access token that is passed to the server. However, not sure why this would the case. The only time I have seen groups dropped from an access token is when accessing resources across domains and the group is domain local, which are ignore/dropped, as neither are true in this scenario, this wouldn't be the issue in this case.
Sent from Yahoo7 Mail on Android
On Wed, 8 Jan 2020 at 13:15, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv0350174108 #yiv0350174108 --



_filtered {}

_filtered {}

#yiv0350174108

#yiv0350174108 p.yiv0350174108MsoNormal, #yiv0350174108 li.yiv0350174108MsoNormal, #yiv0350174108 div.yiv0350174108MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv0350174108 a:link, #yiv0350174108 span.yiv0350174108MsoHyperlink

{color:blue;text-decoration:underline;}

#yiv0350174108 p.yiv0350174108msonormal, #yiv0350174108 li.yiv0350174108msonormal, #yiv0350174108 div.yiv0350174108msonormal

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0350174108 p.yiv0350174108msonormal3, #yiv0350174108 li.yiv0350174108msonormal3, #yiv0350174108 div.yiv0350174108msonormal3

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0350174108 p.yiv0350174108msonormal41, #yiv0350174108 li.yiv0350174108msonormal41, #yiv0350174108 div.yiv0350174108msonormal41

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0350174108 p.yiv0350174108msonormal311, #yiv0350174108 li.yiv0350174108msonormal311, #yiv0350174108 div.yiv0350174108msonormal311

{margin-right:0in;margin-left:0in;font-size:11.0pt;font-family:sans-serif;}

#yiv0350174108 span.yiv0350174108EmailStyle35

{font-family:sans-serif;color:windowtext;}

#yiv0350174108 .yiv0350174108MsoChpDefault

{font-family:sans-serif;}

_filtered {}

#yiv0350174108 div.yiv0350174108WordSection1

{}

#yiv0350174108



Start Run or Windows Explore,

\server\share
name, boom, access denied.

 

Thanks

 

 

Carl Webster

Citrix Technology Professional Fellow

| IGEL Tech Community Insider | Parallels VIPP

http://www.CarlWebster.com

The Accidental Citrix Admin

 

show

webster posted this 08 January 2020

As far as the customer has told me, this is the only server and share with this issue.

 

I checked and the real user account we are testing with has a Kerberos token size of under 3400 bytes.

 

Yesterday I was given a test user account and a Win10 VM so I could stop pestering their main admin and told to do what I needed to do for testing. I will let the list know what I find.

 

Thanks

 

 

Carl Webster

 

show

Cynthia posted this 08 January 2020

I’m betting you are going to have to place an underscore in that space.

So rename the folder first then share.

 



Cynthia Erno



 

show

webster posted this 08 January 2020

The folder name has no spaces. The share has a space, but I have the same issue when I create a share with no spaces in the name.

 



Thanks

 

 

Carl Webster



 

show

Cynthia posted this 08 January 2020

I didn’t read your entire post well enough Carl – sorry about that.

 



Cynthia Erno



 

show

webster posted this 08 January 2020

No problem. This is the strangest issue I have seen in my 34 years of working with Windows, 26 years of working with NTFS, and 18 years of working with AD.

 



Thanks

 

 

Carl Webster



 

show

kurtbuff posted this 08 January 2020

So, if this directory has (had? simultaneously?) two shares, and the problem manifests itself in both cases, then that would seem to point to the file system.
Has the machine been rebooted? Is there anything else strange about the file system, or especially the directory?
Does a share on a different directory on the same partition show the same or different behavior? If the directory has subdirectories, does a share on one of those exhibit the same behavior?
Kurt



show

webster posted this 08 January 2020

The server has been restarted several times. I will test the other scenarios as soon as I find the time today.

 

Thanks

 

 

Carl Webster

 

show

PARRIS posted this 08 January 2020

Does this impact a specific user or any user that is in this group?

 

Safe to say that this is  security group and not a distribution group?

 



Regards,

 

Mark

 

Mark Parris

MBCS. MCMI. fCMgr.





Identity & Technology

Governance & Management.

Tel: +44 (0)7801 690596


Email: mark@xxxxxxxxxxxxxxxx

http://www.bullhorn.com/BullhornPageContent/4538/LinkedIn%20autosig.png  http://www.bullhorn.com/BullhornPageContent/4538/Twitter%20Autosig.png



 

show

barkills posted this 08 January 2020

This issue kept niggling at a memory I had of running into something similar years ago. Eventually that bothered me enough that I went hunting in my email.

😊

 

I didn’t find exactly the same issue, but I did run into something similar (which was also unresolved as far as I know) where there were a few other things we tried that haven’t yet been suggested explicitly.



 

Ross Wilper (hi Ross!) implicitly suggested one—that you shift from Everyone to Authenticated Users on the share perms. That would dodge any use of a little-known but sometimes used security setting: “Network access: Shares that can be

accessed anonymously”. It might also dodge issues related to cross-forest or non-domain joined enumeration, which your original post implied might be present (but you never really explained why you mentioned another domain). You also recently mentioned you

got a test VM as if that was of significance, which leads me to think all your prior tests have been from a client computer which isn’t domain-joined to the same domain as the file server …

😉

 

I presume the access denied error comes up almost immediately. If it doesn’t, that actually is relevant information. Because a delay would suggest that multiple different attempts are being tried, as opposed to something more clear like

a deny access. If there is some delay and the client computer is not domain-joined to the same domain as the file server (or doesn’t have a DNS suffix which matches file server’s DNS suffix), you might want to try adding that DNS suffix to your intranet zone.

That’ll help ensure that Kerberos isn’t blocked from being tried, which may be involved in whatever the cause is.

 

Ultimately, you may need to consider a network trace and look more closely at event/log messages to see if you can determine what is going on.

 

Brian

 

show

webster posted this 08 January 2020

I mentioned the forest trust only because it exists, and one never knows what that may lead to, and if I had not mentioned it…..

 

We did try using Authenticated Users and it made no difference.

All testing has been done on a domain-join computer which is their main admin's computer. I got a test VM so I could stop bugging him to test stuff.

The access denied error is an instant error, no delay at all.

 



Thanks

 

 

Carl Webster



 

show

daemonr00t posted this 08 January 2020

Sounds silly I know, but what’s the outcome of you try to access the resource using its IP address instead of the FQDN? This can tell you if there’s something on The NTLM or Kerberos side.

Can you enable auditing on this folder?











~danny CS








show

gazzadownunder posted this 08 January 2020

It might be an idea to repeat the previous tests yourself once you have access to a machine and confirm the results, as the previous result were bazaar/inconsistent.
It might be worth clearing the kerberos local ticket cache, and checking what tickets you have after connecting to the share, in case dfs is playing some part in the issue. 
After that I think it just a case of isolating the individual components and testing with different server, share, folder, user, and workstation to understand what does and doesn't work.
As has already been mentioned, i think the event logs and network trace are probably othe best way to understand what is happening here.
Sent from Yahoo7 Mail on Android
On Thu, 9 Jan 2020 at 4:30, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv6020913282 #yiv6020913282 --



_filtered {}

_filtered {}

_filtered {}

#yiv6020913282

#yiv6020913282 p.yiv6020913282MsoNormal, #yiv6020913282 li.yiv6020913282MsoNormal, #yiv6020913282 div.yiv6020913282MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv6020913282 a:link, #yiv6020913282 span.yiv6020913282MsoHyperlink

{color:#0563C1;text-decoration:underline;}

#yiv6020913282 span.yiv6020913282EmailStyle24

{font-family:sans-serif;color:windowtext;}

#yiv6020913282 .yiv6020913282MsoChpDefault

{font-size:10.0pt;}

_filtered {}

#yiv6020913282 div.yiv6020913282WordSection1

{}

#yiv6020913282



I mentioned the forest trust only because it exists, and one never knows what that may lead to, and if I had not mentioned it…..

 

We did try using Authenticated Users and it made no difference.

All testing has been done on a domain-join computer which is their main admin's computer. I got a test VM so I could stop bugging him to test stuff.

The access denied error is an instant error, no delay at all.

 



Thanks

 

 

Carl Webster



 

show

jeremyts posted this 08 January 2020

This is actually great advice. Remove Kerberos as a potential issue.

 

show

webster posted this 09 January 2020

Using a local security group does not work.

Using the IP address and local security group DOES work.

Using the IP address and AD security group DOES work.

After using the IP address, access by server name NOW WORKS! WHY?

 

This is so weird.

 



Thanks

 

 

Carl Webster



 

show

kurtbuff posted this 09 January 2020

Probably because you changed sacrifices from Rhode Island Reds to a Silkie. It's the white feathers...
Kurt


show

michael1 posted this 09 January 2020

Did we ever try using a fqdn?

 

show

michael1 posted this 09 January 2020

Or look at SPNs?

 

show

jeremyts posted this 09 January 2020

Kerberos/SPN/DNS issue? Maybe there’s a replication issue and a certain DC is missing some of the computer objects properties. Maybe

try to reset the computer account?

 

show

gazzadownunder posted this 09 January 2020

 Here are a few steps to check the Kerberos and SPN configurationCheck the ServicePrincipalName attribute of server’s computer object that SPN for host/server and host/server.FQDN exist. Use https://nettools.net/spn to check that the cifs/server and cifs/server.fqdn only exists on the account\object of the server.Use https://nettools.net/kerberos-tickets request option to check that the cifs/server and cifs/server.FQDN are returned when requested, purging between each request.Use https://nettools.net/kerberos-tickets to purge all tickets and then try to access the share using the \server\share and then refresh the list and confirm the ticket for the server is returned, and this is the same as one return by the previous step and any additional tickets returned.  Then purge all tickets and try to access the share using \server.FQDN\share and confirm that the FQDN ticket is in the refreshed list.   In both cases you may only get the FQDN ticket for the server.One thing I noticed while testing these steps, if you have a folder redirection or mapped drive to the server in question, these connections are persistent and Kerberos tickets are not renewed after the purge, so if you are using persistent mapped drives with or without credentials, these credentials will be used to access the share.
Sent from Yahoo7 Mail on Android
On Fri, 10 Jan 2020 at 1:18, Webster<webster@xxxxxxxxxxxxxxxx> wrote: #yiv0999057914 #yiv0999057914 --



_filtered {}

_filtered {}

_filtered {}

#yiv0999057914

#yiv0999057914 p.yiv0999057914MsoNormal, #yiv0999057914 li.yiv0999057914MsoNormal, #yiv0999057914 div.yiv0999057914MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:New serif;}

#yiv0999057914 a:link, #yiv0999057914 span.yiv0999057914MsoHyperlink

{color:#0563C1;text-decoration:underline;}

#yiv0999057914 p.yiv0999057914xmsonormal, #yiv0999057914 li.yiv0999057914xmsonormal, #yiv0999057914 div.yiv0999057914xmsonormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv0999057914 span.yiv0999057914EmailStyle23

{font-family:sans-serif;color:windowtext;}

#yiv0999057914 .yiv0999057914MsoChpDefault

{font-size:10.0pt;}

_filtered {}

#yiv0999057914 div.yiv0999057914WordSection1

{}

#yiv0999057914



Using a local security group does not work.

Using the IP address and local security group DOES work.

Using the IP address and AD security group DOES work.

After using the IP address, access by server name NOW WORKS! WHY?

 

This is so weird.

 



Thanks

 

 

Carl Webster



 

show

webster posted this 10 January 2020

SPNs are fine. Everything else looks fine. The customer rebooted the file server this morning and I rebooted our test VM. File share access still works after the reboots. Everything started working after accessing the share one time by

IP address instead of the server name.

 

Odd.

 

Thanks

 

 

Carl Webster

 

show

MattStork posted this 13 January 2020

Any UNC hardening GPO in place for the share? Something roughly similar bit me last week. Even if it is not that, try taking the client computer and user out of scope of Group Policy to see if it makes a difference.

Run Group Policy Results Wizard on the server to see if something dumb is applied to it.

-Matt

 

show

webster posted this 13 January 2020

There were no hardening GPOs in place. This was the only file server and the only share with the weird issue. All non-domain controller servers are in the same OU and get the same GPOs.

 

Accessing the share once by IP address "resolved" the issue. This file server had only one share. It probably would have been faster to remove the server from the domain and rejoin the domain.

 



Thanks

 

 

Carl Webster



 

show

Close