+ Reply to Thread
Results 1 to 12 of 12
  1. Senior Member
    Join Date
    Jul 2005
    Posts
    317

    Certifications
    MCP 270 & 290, MCDST, MCTS:Vista, CCA XP-FR3 & PS3, ITIL Foundation. ( 291 One Day )
    #1

    Default this just doesnt work ??? groups

    Hi,

    I've tried this on 2 different setups now and it just doesnt seem to work or Im missing something...

    setup-

    I have been added to a local global security global security group ( called mymebers ). A folder on a DC is given permissions to be accesses by domain local security group ( called whocanaccess ). I've added ( mymembers ) to ( whocanaccess ) with full permissions.

    Now in the properties of ( whocanaccess ) I can see ( mymembers ) listed. If I go to the properties of ( mymembers ) I can see myself in the members tab and ( whocanaccess ) in the members of tab. So it looks right.

    However when I go to a pc and try to access the folder Im denied, why? Am I missing something?

    Hope the explaination makes sense

    Help its the last thing Im stuck on
    Reply With Quote Quote  

  2. SS -->
  3. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #2
    Did you log off/log on after adding yourself to the group? You may need to be assigned a new token from the DC with the additional group membership.

    Trying to think if there is something else.... Brain ...not...working....before coffee...is ready....
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #3
    Effective Permissions tab.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Mar 2006
    Location
    London UK
    Posts
    395

    Certifications
    MCSE:Messaging 2003, MCTS:Vista, MCTS EXCH 2007 Config
    #4
    However when I go to a pc and try to access the folder Im denied, why?
    I take it your logged on to the domain and not locally when you try and access the directory?

    Have you had a look at the effective permissions of your user ID or the group you are using?
    Reply With Quote Quote  

  6. Senior Member deneb829's Avatar
    Join Date
    Sep 2006
    Location
    Florida Panhandle
    Posts
    300

    Certifications
    A+, Network+, MCSA2K3, Extreme Networks, iBoss, Bachelors in Business Management, MBA - Information Systems
    #5
    Is this a share on the DC or are you just trying to access the folder via UNC? Try and access it locally first - if you can, then it's probably the share permissions causing the problems. Check your share and NTFS permissions and remember that the most restrictive permissions apply.
    i.e.
    Share Permission: Deny
    NTFS Permission: Full Control
    Result: Deny
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Sep 2005
    Location
    Toledo, Ohio
    Posts
    357

    Certifications
    Bsc. IT A+,NET+,CST,CNST, MCSA 2003,MCDBA: Next on the hitlist --> LPIC, OCP
    #6
    check ur share permision
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Sep 2005
    Posts
    598

    Certifications
    A+ Network+ MCP, MCSA
    #7
    definately look at effective permissions and the share permisions

    FYI Miscrosoft recommends you only use one or the other for restricting access. and that tyou use NTFS permission for restricting access on NTFS volumes (obvious right?) and Share permissiong for Fat volumes (since NTFS will not work.

    so on a typical share you wolud do the following

    Share Permission : Everyone group = Full control

    Ntfs permssions : IT group = full control
    staff = read only


    the result is the most restictive so IT cna do what ever they want and Staff can only read.

    if you use both sahe and NTFS troulbshooting permssion issues sucks..... my company did this and it have become a nightmare for me to troubleshoot and unfortunately I can not change it due ot a managerial decission.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jul 2005
    Posts
    317

    Certifications
    MCP 270 & 290, MCDST, MCTS:Vista, CCA XP-FR3 & PS3, ITIL Foundation. ( 291 One Day )
    #8
    [quote="sprkymrk"]Did you log off/log on after adding yourself to the group? You may need to be assigned a new token from the DC with the additional group membership.

    quote]

    It was just the bloody reboot on the local PC to make it all work

    Oh well look on it as I did get it right and followed the problem through to the end ( including when information gets missed when following instructions! )

    Many thanks for the assist all.

    By the way isnt there a DOS command for checking which groups someone is a member off? DSGET or something? Anyone know the syntax as mine didnt make sense.

    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Sep 2005
    Location
    Toledo, Ohio
    Posts
    357

    Certifications
    Bsc. IT A+,NET+,CST,CNST, MCSA 2003,MCDBA: Next on the hitlist --> LPIC, OCP
    #9
    Thx for wasting our time...

    J/K
    oooh and read the 290 book for the commands...lot of em there

    or go to www.technet.com
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jul 2005
    Posts
    317

    Certifications
    MCP 270 & 290, MCDST, MCTS:Vista, CCA XP-FR3 & PS3, ITIL Foundation. ( 291 One Day )
    #10
    have the ms press book for the 290

    have read the command but as I said the syntax doesnt make sense
    Reply With Quote Quote  

  12. APA
    APA is offline
    Senior Member APA's Avatar
    Join Date
    Jun 2006
    Location
    Sydney, Australia
    Posts
    956

    Certifications
    CompTIA, Microsoft, Juniper & Cisco (Check Signature)
    #11
    dsget user "CN=Adrian Arumugam,CN=Users,DC=Microsoft,DC=com" -memberof

    if you use the -expand switch as well it shows groups user belongs to through group nesting.

    CN= Users common name
    DC= Domain

    I've only managed to get dsget working if the user is in one of the builtin folders(like above CN=Users, which is the builtin Users folder)...... When I try and use dsget on a user in an OU that you have specifically created it keeps failing.... anyone got some ideas?
    Reply With Quote Quote  

  13. Junior Member Registered Member
    Join Date
    Mar 2012
    Posts
    1
    #12
    Hello Everyone,
    I do not understand regarding the NTFS and SHARED PERMISSION.
    How do i know that READ / CHANGE / FULL CONTROL of shared permission? They are Least restrictive OR the most restrictive
    as well as the NTFS permission (Full control / Modify / Read & Execute and so on....) which one is the most restrictive permission or least restrictive permission.
    Thanks
    JieJie
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks