Domain Local Group permission problems!!

[Nangel]

I created a Domain Local Group Quality. I have a
directory called Folder. Folder is a subfolder of the
main directory called company. Company is shared. In the
directory named folder I went into the properties\Security
tab. I found three line in the permission box;
Administrator with full access, Everyone with Read &
Execute, and the QUALITY group with modify permissions.
The Quality group is composed of 4 users. None of the
four users listed in the QUALITY group are able to copy,
modify or delete anything under the Folder directory. My
goal is to have everybody in our LAN to have read access
to the information only and the four users in the Quality
group to be able to modify, delete or create the
information in this directory. I do not understand what
the problem is. Please reply with any comment. Thank you
in advance for your cooperation!

 

[Dmitry Korolyov]

From your description it seems that you have incorrect permissions on the
share. Members of the QUALITY group should have Change permission on the
share (named company in your case). Remember that effective permissions for
shared files and folders are calculated as a result of NTFS and share
permissions.

 

[nangel]

......
Thank you for your response. In my share directory
(Company) the group EVERYONE group has full access. The
subfolder QUALITY has READ and Execute permission for the
Everyone group and modify permission for the Quality
group. This should work. quality should have modify
access for the Quality directory! Please advise your
comments. Thanks again!
.......

 

[Dmitry Korolyov]

Note that I was talking not about NTFS permissions in the "company"
directory, but rather about permissions on the share itself. Are you sure we
get it clear?

In case we are, what domain mode (mixed/native or higher) are you running,
and (just in case) - domain local group and the server where you have it
applied are from the same domain, right?

 

[Nangel]

.....
Dmitry - The sharing permission for the company's
directory has three check marks next to the Full control,
Change and read under the allow column. We are running
the domain under the native mode. Dmitry it seems that
you know what going on, is it possible for me to call
you? or you may call me at 630-858-8700 ext 105. Thank
you very much for your help!
.....

 

[Dmitry Korolyov]

Unfortunately, it will not be possible either to call you of do vice versa.
You can catch me on MSN Messenger, though, about 1.5 hours later from the
posting time of this reply. I'll be offline during that time.
Quickhack test: if you explicitly assign Modify permission in the Quality
directory to one of these users (not the group), does it work?

 

[Nangel]

Yes. It does work!

-----Original Message-----
Unfortunately, it will not be possible either to call you of do vice versa.
You can catch me on MSN Messenger, though, about 1.5 hours later from the
posting time of this reply. I'll be offline during that time.
Quickhack test: if you explicitly assign Modify permission in the Quality
directory to one of these users (not the group), does it work?

--





.

 

[Dmitry Korolyov]

I'm in MSN - use email address below, remove nospamformorons part.

Another test: what if you create a folder somewhere under that share, remove
all NTFS permissions except for SYSTEM and Administrators, and assign Read
permissions to Quality group on that folder - will they be able to read
contents?

 

[Dmitry Korolyov]

1) You server recognizes the user itself - as explicitly defined access
worked.
2) We have confirmed that it is not a share problem

This could be a group membership problem - did the user log off and log on
back after you have added it to Quality group? You know, the access token
needs to be updated, and for network connections, its either closing all
connections manually (net use <whatever> /d), or relogging into the system.

I may also suggest a bit more compicated scenario involving replication
problems, but I may be wrong in details (in this case security guys - please
correct me). If you have more than one DC and a replication problem or delay
exist, the following may apply: when the user wants to access the shared
folder, a Service Ticket (ST) needs to be issued. Current user's Ticket
Granting Ticket is used for obtaining ST. So, if Service Ticked request will
be directed to the KDC on the domain controller which is not aware of the
updated group membership yet, the Service Ticket request will be denied -
which ultimately result on denied access for Modify in your folder.

 

[Dmitry Korolyov]

I was incorrect in terminology in my previous post, of course TGS, not KDC,
issues Service Tickets - which does not affect the general idea, however.