Group permissions

[Ben Samuals]

This is something Odd we are running into. We create a group for users at
one of our locations, that location has its own domain controller and we are
logged on at that location. We add that group "site-group" to the file
system at that location as well, to a file server. I try to access that
resource as a user that is in "site-group" and it will not work, or they do
not have access. If I add the user directly to the resource they will have
access. I guess my question is, is there a timing issue here? It would seem
to me that if everyone is using the same DC and file server that there
should be no timing issues with group access. btw, these are global groups.
Does this make sense?

thx,

 

[Joe Richards [MVP]]

It could be timing, it could be that the people aren't logging off and logging back in. When you add a user directly to
a Resource ACL chain, the user doesn't have to log off and log on to update their security token. If you add the group
to the chain and add the user to the group, the user must log off and log on to refresh their security token.

You can check if a user has the group in their current token by using whoami /groups (from reskit) once they are logged
in or use the freeware sectok from www.joeware.net.