|
Posted by Steven L Umbach on August 18, 2005, 2:26 pm
Please log in for more thread options If I remember correctly I have seen the same thing when looking at a global
group in effective permissions. The important thing is that the permissions
for the user look good and that it works when the global group has direct
permissions. It is curious that it does not work when nested in the local
group however as you mention. Again I would look for any deny permissions
for the share or folder and also look in the advanced page of the folder to
see if there are any deny permissions listed there. Another thing to test is
to create a new test local group on the server, add just your global group
to that local group, and assign permissions to that local group to see if
that makes any difference. For the share try temporarily giving "everyone"
permissions to see if that makes any difference.
I would also try netdiag just to make sure it looks good for the server with
the share. As far as the firewall, if you can temporarily disable it that
may be of help to see if it is part of the problem. The firewall
configuration depends on what it is protecting. If it is the Windows
Firewall on the server offering the share then it probably is configured
correctly. If the firewall is protecting access to the domain controller
then you may need to further tweak it using guidance in the KB link below.
Checking firewall logs for dropped traffic from authorized IP addresses can
also be helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
> Interestingly enough, the effective permisions of the local group are OK.
> The effective permissions of a user in the gloabl group are OK. But the
> effective permissions of the global group don't show anything. Even
> though the user's permissions appear to be OK, he can't access the
> resources.
>
>
>> I'll quadruple check but I'm sure that all pemissions are fine, including
>> the share and NTFS permissions. I tested the same setup with another
>> file server outside the firewall and it works fine. The firewall has
>> these ports open for the server in question. Are any missing:
>>
>> udp 135
>> udp netbios-ns
>> udp netbios-dgm
>> udp 139
>> udp 389
>> tcp 137
>> tcp 138
>> tcp netbios-ssn
>> tcp ldap
>>
>> Also, if it make a difference, the file server has a private ip address
>> with a static nat entry on the firewall.
>>
>>
>>> Off hand the firewall would not appear to be the problem. Check that the
>>> local users group does not have any deny permissions in the share or
>>> folder and that it has proper share and ntfs permissions. Also keep in
>>> mind that share and ntfs permissions interact for a network user in that
>>> the most restrictive of the two will apply. You should be able to ping
>>> the server from the domain controller and vice versa by IP address and
>>> name. I would also check the application/system logs on the file server
>>> for anything that may look relevant and run the support tool netdiag on
>>> it to make sure all looks well with dns, network connectivity to domain
>>> controller, and computer account/secure channel integrity. --- Steve
>>>
>>>
>>>> Windows 2003 file server in an Active Directory domain
>>>> Firewall between server and domain crontroller
>>>>
>>>> I have a share on the Windows 2003 server. I also have a local group
>>>> on that server. The local group has full rights to the share. The
>>>> local group contains a global group from the Active Directory domain.
>>>>
>>>> User in global group should be able to access the shared folder based
>>>> on the local group's permissions. He can't.
>>>>
>>>> If I add the global group directly to the folder's permissions, then it
>>>> works.
>>>>
>>>> Could it be a problem with a firewall between the server with the local
>>>> group and the domain controller with the global group?
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap