Microsoft AD New User Folder Permissions

[Carl84]

Hi,

I created a new user under domain users on active directory. She does not have permission to view a network drive where we all have our personal folders. Very strange because under security of that folder Domain Users are allowed to read that folder.:hmm:

This is whats in security now:
Creator Owner
System
Domain Users (should be enough since she is a domain user)
Administrators
Users

What can be wrong? Why does it work for other users but not the new account?

 

[imagoon]

Verify she has both share and folder access. If she cant connect to the share, it won't matter what the folder permissions are and vis versa.

 

[Carl84]

Imagoon: The strange part is, she can see other folders on the network, not just the one that she really needs.

Where can I see these settings?

 

[imagoon]

Imagoon: The strange part is, she can see other folders on the network, not just the one that she really needs.

Where can I see these settings?

Share permissions are in the sharing settings. You can manage the server and look at the files shares and go from there. It would make sense that some would work and others wouldn't. Share permissions are set per share just like folder security is.

 

[Carl84]

imagoon: When I manage the share and look at the permission. It says "everyone". Very very strange!

 

[mcmilljb]

imagoon: When I manage the share and look at the permission. It says "everyone". Very very strange!

It's probably the file and folder security settings bothering her. Generally you'll make the file share more open and then restrict on the file and folder security. You do this because the 2 are merged together and the strictest one is what what you get.

From Microsoft's website

Share permissions and the file and folder permissions that can be applied to resources on a drive that uses the NTFS file system are both applied if a user connects to a shared resource over the network. If the share permissions appear as if they should allow for a particular level of access, but the user experiences problems actually achieving that level of access, check the file and folder permissions to make sure that they do not prevent access.

 

[Carl84]

Thank you mcmilljb!

I tried to add her domain name to the security enabling her to read without success. Shouldn't be necessary since she is a domain user and they should already have access.

How do I make it work?

 

[mcmilljb]

Thank you mcmilljb!

I tried to add her domain name to the security enabling her to read without success. Shouldn't be necessary since she is a domain user and they should already have access.

How do I make it work?

http://technet.microsoft.com/en-us/library/cc780121(v=ws.10).aspx

Can learn some more here.
http://technet.microsoft.com/en-us/library/cc780823(v=ws.10).aspx

 

[Carl84]

Thank you for your links, helpful for a novice like me.

The problem is, that everything seems to be set up correctly. For example, when I login with her user on MY laptop I can access her folder. But still does not work on her computer

What can be wrong?

 

[dawks]

Thank you for your links, helpful for a novice like me.

The problem is, that everything seems to be set up correctly. For example, when I login with her user on MY laptop I can access her folder. But still does not work on her computer

What can be wrong?

One thing you can do is go to the 'Effective Permissions' tab and put her username in. It will tell you what rights she has.

Also note, you'll have log off, and back on if you make any changes on the permissions themselves before they take effect.

 

[mcmilljb]

Thank you for your links, helpful for a novice like me.

The problem is, that everything seems to be set up correctly. For example, when I login with her user on MY laptop I can access her folder. But still does not work on her computer

What can be wrong?

You could login with your username on HER computer to see if it's the computer causing the problem. Might have to take it off the domain and then put it back on to fix it.

 

[Carl84]

You could login with your username on HER computer to see if it's the computer causing the problem. Might have to take it off the domain and then put it back on to fix it.

As you say I can not access it on my account using her computer.
I think you hit the nail on its head

How do I take it off the domain? Delete it in AD?:hmm:

 

[seepy83]

As you say I can not access it on my account using her computer.
I think you hit the nail on its head

How do I take it off the domain? Delete it in AD?:hmm:

From the problem computer, go to system properties and change it to a workgroup member, reboot, log in with a local admin account, go into system properties and add it to the domain again.

You should definitely make sure you know the password for a local admin account before you remove it from the domain.

 

[Carl84]

From the problem computer, go to system properties and change it to a workgroup member, reboot, log in with a local admin account, go into system properties and add it to the domain again.

You should definitely make sure you know the password for a local admin account before you remove it from the domain.

Thank you Seepy. I did exactly that but still does not work.

If I check Effective Permissions I have the same settings as other users for the specific folder. :\
Other folders are okay for her to view.
This is very very strange... Any ideas?

 

[seepy83]

At this point, I would be looking at system/security logs in Event Viewer, and turning on Auditing (or changing audit settings) on the folder if there's not enough data in the logs to help figure out what's happening.

 

[Carl84]

Seepy thanks for your help. I'm not much of an Admin lol.

How can you see the events?

Edit: I started Event Viewer but don't really know what to look for in System/Security.

 

[Lifted]

Reset the computer account in AD by right clicking on it, reset account.

If that fails, as was said above, check the event logs (in the event viewer) on the server, specifically the security events. You'd be looking for warnings or errors.

 

[Carl84]

Lifted: I did make a reset of the computer account and it is still the same. So after that I went to the event viewer but it shows no warnings!

Very very strange..

I would like to mention that we have recently changed user on this computer (like 3 times the last month) Can that be part of the problem?

 

[BoT]

create another "new" user account and see if that works.
if so, move her stuff to the new user account and rename it to her while you delete the old account.

also, verify that her account is indeed in the domain users group or users group.

does anybody else have trouble accessing their shares on this particular computer?
you can also delete the computer from the domain and rejoin it and see if that works.

make sure that any important data has been saved and is retrievable before you do any of the above.

 

[Carl84]

BoT: When I log in on my account on the same computer it still gets the same. Seems like it's the computer that cannot connect. I have already deleted the computer and had i rejoin the domain without success :/

 

[imagoon]

I would check things like the computer DNS also. Having ISP DNS servers in there will cause all sorts of issue including this one.

 

[BoT]

do you have any security software running?

 

[Carl84]

BoT: Yea AVG on all computers. But it is the same for all.

She can access other folders on the server but not the one with all user folders (including hers).

I created another user in AD called test.test. While trying to log in Win7 gives me "The trust relationship between this workstation and the primary domain failed".

Logging back on to her account works but still problems with not being able to access the important folder.

What can I do?

 

[BoT]

besides resetting the computer account did you try to rejoin (unjoin first) it to the domain but i think you did that already.

checked the network settings, checked folder permissions, reset account, rejoined computer, checked ntfs permission, other account doesn't work, confirmed that she is in fact in the domain users group .. i don't seems to be a bit of a dead end unless we are overlooking something.

everything should be working as intended
which version of windows server are you running?
are you sure you have all ports open on the pc?
389 dc locator
3389 ts
445 smb
135 netbios
139 netbios
1723 pptp

most should be enabled already but good to double check

 

[Carl84]

Increadible!
After disabling Offline Files in sync-center it works. She can access her folder on the network, but not save them offline (there is no option). If I reenable offline files she doesn't have authority to access. :/

EDIT: Made it work!!
Followed this guide when I understood it was Sync that was causing the problems.



ORIGINAL:
1. Login as administrator
2. Delete files in C:\Windows\CSC\namespace & C:\Windows\CSC\temp
You will have to change ownership of the files & folders within, make sure to inherent. If The inheretence doesn't work, then yes, get large pot of coffee as you will have to reset permissions and delete the file or folder individually. Depending on how much is in the CSC, you could be for a very long night.
3. After files & folders are cleared out, restart & have the user log in.
4. Check the shared drive...


I still don't really know what was wrong but now it's fixes. Thanks everybody for your help!