windows 7 - syn issue

Hi all,

I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save files OK.

Any ideas?

OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.

For example:

\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem

\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED

Any ideas?


<> wrote in message
news:%237%...
> Hi all,
>
> I have a workstation client running Windows 7 that is having difficulty
> opening any documents from the My Documents folder. We are running Windows
> 2003 SP2 Domain Controller that has all the users My Documents re-directed
> via GPO to a DFS based file share. I have verified all the NTFS & Share
> permissions are correct. All other clients (Windows XP) have no problems.
> However the Windows 7 client cannot open any document (Word, Excel, PDF,
> Text etc) and gets an "Access Denied" message. What is weird is if I
> navigate directly to the actual server file share (one of the target roots
> of the DFS) then everything works fine. I am able to open and save files
> OK.
>
> Any ideas?
>

On Thu, 21 May 2009 12:18:47 -0500, <> wrote:

>OK dug a little deeper and the issues appears to be DFS. I can browse
>directly to the target folder on either of the 2 target servers and open
>files fine. If however I try to browse via the dfs based name share then I
>get an access denied.
>
>For example:
>
>\\server1\users\param\My Documents\test.doc - no problem
>\\server2\users\param\My Documents\test.doc - no problem
>
>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>
>Any ideas?

The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have

domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.

This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.

If you open C:\Users on the DFS server you will see the folder "John" this is
the re parse point and if you try to open it you cannot because it is not a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse point info.
Once this info has been read the client can redirect to the target share. The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.

It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use ABE to
control which links will be displayed to users.

This would be true whatever the client XP, Vista and I presume Windows 7. It may
be just the Windows 7 user that does not have read permission to the re parse
point.


>
>
><> wrote in message
>news:%237%. ..
>> Hi all,
>>
>> I have a workstation client running Windows 7 that is having difficulty
>> opening any documents from the My Documents folder. We are running Windows
>> 2003 SP2 Domain Controller that has all the users My Documents re-directed
>> via GPO to a DFS based file share. I have verified all the NTFS & Share
>> permissions are correct. All other clients (Windows XP) have no problems.
>> However the Windows 7 client cannot open any document (Word, Excel, PDF,
>> Text etc) and gets an "Access Denied" message. What is weird is if I
>> navigate directly to the actual server file share (one of the target roots
>> of the DFS) then everything works fine. I am able to open and save files
>> OK.
>>
>> Any ideas?
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Few questions:

1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?

2. Here is my setup:

I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.

\\domain.local\DFS - root namespace

\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers

NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL

SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL

\\domain.local\DFS\Users - dfs folder

\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder


NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only

SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read

Thanks!!


"DaveMills" <> wrote in message
news:...
> On Thu, 21 May 2009 12:18:47 -0500, <> wrote:
>
>>OK dug a little deeper and the issues appears to be DFS. I can browse
>>directly to the target folder on either of the 2 target servers and open
>>files fine. If however I try to browse via the dfs based name share then I
>>get an access denied.
>>
>>For example:
>>
>>\\server1\users\param\My Documents\test.doc - no problem
>>\\server2\users\param\My Documents\test.doc - no problem
>>
>>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>>
>>Any ideas?
>
> The DFS root folder will contain the links. These look like folders but
> are re
> parse points that point to the sever unc names. So I might have
>
> domain.local/users/john --> \\server1\users\john
> where domain.local/users is the DFS root and john is the re parse point.
>
> This is accessed as \\domain.local\users\john and when the client reads
> this it
> retrieves the link destination and then opens \\server\users\john.
>
> If you open C:\Users on the DFS server you will see the folder "John" this
> is
> the re parse point and if you try to open it you cannot because it is not
> a
> folder and can only be open via its UNC name. However it does have NTFS
> permissions and these must allow the end user to "read" the re parse point
> info.
> Once this info has been read the client can redirect to the target share.
> The
> target share also has NTFS permissions and these(plus the share
> permissions)
> determine what the user can do.
>
> It is enough to simply grant "Everyone" read on the re parse point
> although you
> may wish to use different permissions, especially if you want to use ABE
> to
> control which links will be displayed to users.
>
> This would be true whatever the client XP, Vista and I presume Windows 7.
> It may
> be just the Windows 7 user that does not have read permission to the re
> parse
> point.
>
>
>>
>>
>><> wrote in message
>>news:%237%.. .
>>> Hi all,
>>>
>>> I have a workstation client running Windows 7 that is having difficulty
>>> opening any documents from the My Documents folder. We are running
>>> Windows
>>> 2003 SP2 Domain Controller that has all the users My Documents
>>> re-directed
>>> via GPO to a DFS based file share. I have verified all the NTFS & Share
>>> permissions are correct. All other clients (Windows XP) have no
>>> problems.
>>> However the Windows 7 client cannot open any document (Word, Excel, PDF,
>>> Text etc) and gets an "Access Denied" message. What is weird is if I
>>> navigate directly to the actual server file share (one of the target
>>> roots
>>> of the DFS) then everything works fine. I am able to open and save files
>>> OK.
>>>
>>> Any ideas?
>>>
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.

On Wed, 27 May 2009 12:05:38 -0500, <> wrote:

>Few questions:
>
>1. This is working fine for Windows XP clients. So why would permissions
>need to be any different for Windows 7 clients?

Sorry, I did not notice this. I have only just started trying W7 so have no
experience.

>
>2. Here is my setup:
>
>I have 3 file servers that host not only the file shares but also the DFS
>Roots. The 3 file servers are in 3 different AD Sites (based on network
>subnet) and so the concept is clients get re-directed to the file server
>closest to them in their site.
>
>\\domain.local\DFS - root namespace
>
>\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
>
>NTFS Permissions for DFS root folder on each of the namespace servers -
>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
>Read, System - FULL

Seems OK, Having Domain User - FULL can cause problems as a user can then put
files in the DFS root instead of the targets which you may not want, i.e. save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
>
>SHARE Permissions for DFS root folder on each of the namespace servers -
>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
>Read, System - FULL
>
>\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
>
>\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
>DFS Folder
This is not a DFS folder at all but simply the normal shared folder that are the
targets. Am I correct?
>
>
>NTFS Permissions for Users folder on each folder target server - Domain
>Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
>Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
>Attributes, Create Folders/Append Data - This Folder Only

Seems OK, Users can create folders then have F/C as the owners.

Now I have no idea why Win7 has a problems with all this. I sure hope an answer
is found as I wish to use Win7 once it goes gold and this issue would be a real
problem. Please let us know if you find the answer.
>
>SHARE Permissions for Users folder on each folder target server - Domain
>Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
>
>Thanks!!
>
>
>"DaveMills" <> wrote in message
>news:.. .
>> On Thu, 21 May 2009 12:18:47 -0500, <> wrote:
>>
>>>OK dug a little deeper and the issues appears to be DFS. I can browse
>>>directly to the target folder on either of the 2 target servers and open
>>>files fine. If however I try to browse via the dfs based name share then I
>>>get an access denied.
>>>
>>>For example:
>>>
>>>\\server1\users\param\My Documents\test.doc - no problem
>>>\\server2\users\param\My Documents\test.doc - no problem
>>>
>>>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>>>
>>>Any ideas?
>>
>> The DFS root folder will contain the links. These look like folders but
>> are re
>> parse points that point to the sever unc names. So I might have
>>
>> domain.local/users/john --> \\server1\users\john
>> where domain.local/users is the DFS root and john is the re parse point.
>>
>> This is accessed as \\domain.local\users\john and when the client reads
>> this it
>> retrieves the link destination and then opens \\server\users\john.
>>
>> If you open C:\Users on the DFS server you will see the folder "John" this
>> is
>> the re parse point and if you try to open it you cannot because it is not
>> a
>> folder and can only be open via its UNC name. However it does have NTFS
>> permissions and these must allow the end user to "read" the re parse point
>> info.
>> Once this info has been read the client can redirect to the target share.
>> The
>> target share also has NTFS permissions and these(plus the share
>> permissions)
>> determine what the user can do.
>>
>> It is enough to simply grant "Everyone" read on the re parse point
>> although you
>> may wish to use different permissions, especially if you want to use ABE
>> to
>> control which links will be displayed to users.
>>
>> This would be true whatever the client XP, Vista and I presume Windows 7.
>> It may
>> be just the Windows 7 user that does not have read permission to the re
>> parse
>> point.
>>
>>
>>>
>>>
>>><> wrote in message
>>>news:%237%. ..
>>>> Hi all,
>>>>
>>>> I have a workstation client running Windows 7 that is having difficulty
>>>> opening any documents from the My Documents folder. We are running
>>>> Windows
>>>> 2003 SP2 Domain Controller that has all the users My Documents
>>>> re-directed
>>>> via GPO to a DFS based file share. I have verified all the NTFS & Share
>>>> permissions are correct. All other clients (Windows XP) have no
>>>> problems.
>>>> However the Windows 7 client cannot open any document (Word, Excel, PDF,
>>>> Text etc) and gets an "Access Denied" message. What is weird is if I
>>>> navigate directly to the actual server file share (one of the target
>>>> roots
>>>> of the DFS) then everything works fine. I am able to open and save files
>>>> OK.
>>>>
>>>> Any ideas?
>>>>
>>>
>> --
>> Dave Mills
>> There are 10 types of people, those that understand binary and those that
>> don't.
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

See below my responses with [PR].


"DaveMills" <> wrote in message
news:...
> On Wed, 27 May 2009 12:05:38 -0500, <> wrote:
>
>>Few questions:
>>
>>1. This is working fine for Windows XP clients. So why would permissions
>>need to be any different for Windows 7 clients?
>
> Sorry, I did not notice this. I have only just started trying W7 so have
> no
> experience.

[PR] - yea this is going to be an issue with W7 if this doesnt work.

>
>>
>>2. Here is my setup:
>>
>>I have 3 file servers that host not only the file shares but also the DFS
>>Roots. The 3 file servers are in 3 different AD Sites (based on network
>>subnet) and so the concept is clients get re-directed to the file server
>>closest to them in their site.
>>
>>\\domain.local\DFS - root namespace
>>
>>\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
>>
>>NTFS Permissions for DFS root folder on each of the namespace servers -
>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>Everyone -
>>Read, System - FULL
>
> Seems OK, Having Domain User - FULL can cause problems as a user can then
> put
> files in the DFS root instead of the targets which you may not want, i.e.
> save
> word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx


[PR] - I changed it to FULL recently to see if that resolves the W7 issue.

>>
>>SHARE Permissions for DFS root folder on each of the namespace servers -
>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>Everyone -
>>Read, System - FULL
>>
>>\\domain.local\DFS\Users - dfs folder
> I would call this the DFS Link, i.e. not a folder but a reparse point.

[PR] - OK.

>>
>>\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
>>DFS Folder
> This is not a DFS folder at all but simply the normal shared folder that
> are the
> targets. Am I correct?

[PR] - Correct.

>>
>>
>>NTFS Permissions for Users folder on each folder target server - Domain
>>Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files
>>Only,
>>Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
>>Attributes, Create Folders/Append Data - This Folder Only
>
> Seems OK, Users can create folders then have F/C as the owners.
>
> Now I have no idea why Win7 has a problems with all this. I sure hope an
> answer
> is found as I wish to use Win7 once it goes gold and this issue would be a
> real
> problem. Please let us know if you find the answer.

[PR] - I hope I find the answer. I will post when I do.

>>
>>SHARE Permissions for Users folder on each folder target server - Domain
>>Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
>>
>>Thanks!!
>>
>>
>>"DaveMills" <> wrote in message
>>news:. ..
>>> On Thu, 21 May 2009 12:18:47 -0500, <> wrote:
>>>
>>>>OK dug a little deeper and the issues appears to be DFS. I can browse
>>>>directly to the target folder on either of the 2 target servers and open
>>>>files fine. If however I try to browse via the dfs based name share then
>>>>I
>>>>get an access denied.
>>>>
>>>>For example:
>>>>
>>>>\\server1\users\param\My Documents\test.doc - no problem
>>>>\\server2\users\param\My Documents\test.doc - no problem
>>>>
>>>>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>>>>
>>>>Any ideas?
>>>
>>> The DFS root folder will contain the links. These look like folders but
>>> are re
>>> parse points that point to the sever unc names. So I might have
>>>
>>> domain.local/users/john --> \\server1\users\john
>>> where domain.local/users is the DFS root and john is the re parse point.
>>>
>>> This is accessed as \\domain.local\users\john and when the client reads
>>> this it
>>> retrieves the link destination and then opens \\server\users\john.
>>>
>>> If you open C:\Users on the DFS server you will see the folder "John"
>>> this
>>> is
>>> the re parse point and if you try to open it you cannot because it is
>>> not
>>> a
>>> folder and can only be open via its UNC name. However it does have NTFS
>>> permissions and these must allow the end user to "read" the re parse
>>> point
>>> info.
>>> Once this info has been read the client can redirect to the target
>>> share.
>>> The
>>> target share also has NTFS permissions and these(plus the share
>>> permissions)
>>> determine what the user can do.
>>>
>>> It is enough to simply grant "Everyone" read on the re parse point
>>> although you
>>> may wish to use different permissions, especially if you want to use ABE
>>> to
>>> control which links will be displayed to users.
>>>
>>> This would be true whatever the client XP, Vista and I presume Windows
>>> 7.
>>> It may
>>> be just the Windows 7 user that does not have read permission to the re
>>> parse
>>> point.
>>>
>>>
>>>>
>>>>
>>>><> wrote in message
>>>>news:%237% ...
>>>>> Hi all,
>>>>>
>>>>> I have a workstation client running Windows 7 that is having
>>>>> difficulty
>>>>> opening any documents from the My Documents folder. We are running
>>>>> Windows
>>>>> 2003 SP2 Domain Controller that has all the users My Documents
>>>>> re-directed
>>>>> via GPO to a DFS based file share. I have verified all the NTFS &
>>>>> Share
>>>>> permissions are correct. All other clients (Windows XP) have no
>>>>> problems.
>>>>> However the Windows 7 client cannot open any document (Word, Excel,
>>>>> PDF,
>>>>> Text etc) and gets an "Access Denied" message. What is weird is if I
>>>>> navigate directly to the actual server file share (one of the target
>>>>> roots
>>>>> of the DFS) then everything works fine. I am able to open and save
>>>>> files
>>>>> OK.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>
>>> --
>>> Dave Mills
>>> There are 10 types of people, those that understand binary and those
>>> that
>>> don't.
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.

OK, I dug a little deeper and found some additional interesting results:

One of the folder targets on the dfs file share is CORPVS01.

If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
able to copy files to that location, but everytime I try to open a file
(Word, Excel, PDF etc.) I get an access denied error.

Now however if I access the share via
\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.

Any ideas??

<> wrote in message
news:...
> See below my responses with [PR].
>
>
> "DaveMills" <> wrote in message
> news:...
>> On Wed, 27 May 2009 12:05:38 -0500, <> wrote:
>>
>>>Few questions:
>>>
>>>1. This is working fine for Windows XP clients. So why would permissions
>>>need to be any different for Windows 7 clients?
>>
>> Sorry, I did not notice this. I have only just started trying W7 so have
>> no
>> experience.
>
> [PR] - yea this is going to be an issue with W7 if this doesnt work.
>
>>
>>>
>>>2. Here is my setup:
>>>
>>>I have 3 file servers that host not only the file shares but also the DFS
>>>Roots. The 3 file servers are in 3 different AD Sites (based on network
>>>subnet) and so the concept is clients get re-directed to the file server
>>>closest to them in their site.
>>>
>>>\\domain.local\DFS - root namespace
>>>
>>>\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
>>>
>>>NTFS Permissions for DFS root folder on each of the namespace servers -
>>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>>Everyone -
>>>Read, System - FULL
>>
>> Seems OK, Having Domain User - FULL can cause problems as a user can then
>> put
>> files in the DFS root instead of the targets which you may not want, i.e.
>> save
>> word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
>
>
> [PR] - I changed it to FULL recently to see if that resolves the W7 issue.
>
>>>
>>>SHARE Permissions for DFS root folder on each of the namespace servers -
>>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>>Everyone -
>>>Read, System - FULL
>>>
>>>\\domain.local\DFS\Users - dfs folder
>> I would call this the DFS Link, i.e. not a folder but a reparse point.
>
> [PR] - OK.
>
>>>
>>>\\server1\Users \\server2\Users \\server3\Users - folder targets for
>>>Users
>>>DFS Folder
>> This is not a DFS folder at all but simply the normal shared folder that
>> are the
>> targets. Am I correct?
>
> [PR] - Correct.
>
>>>
>>>
>>>NTFS Permissions for Users folder on each folder target server - Domain
>>>Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files
>>>Only,
>>>Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
>>>Attributes, Create Folders/Append Data - This Folder Only
>>
>> Seems OK, Users can create folders then have F/C as the owners.
>>
>> Now I have no idea why Win7 has a problems with all this. I sure hope an
>> answer
>> is found as I wish to use Win7 once it goes gold and this issue would be
>> a real
>> problem. Please let us know if you find the answer.
>
> [PR] - I hope I find the answer. I will post when I do.
>
>>>
>>>SHARE Permissions for Users folder on each folder target server - Domain
>>>Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
>>>
>>>Thanks!!
>>>
>>>
>>>"DaveMills" <> wrote in message
>>>news: ...
>>>> On Thu, 21 May 2009 12:18:47 -0500, <> wrote:
>>>>
>>>>>OK dug a little deeper and the issues appears to be DFS. I can browse
>>>>>directly to the target folder on either of the 2 target servers and
>>>>>open
>>>>>files fine. If however I try to browse via the dfs based name share
>>>>>then I
>>>>>get an access denied.
>>>>>
>>>>>For example:
>>>>>
>>>>>\\server1\users\param\My Documents\test.doc - no problem
>>>>>\\server2\users\param\My Documents\test.doc - no problem
>>>>>
>>>>>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>>>>>
>>>>>Any ideas?
>>>>
>>>> The DFS root folder will contain the links. These look like folders but
>>>> are re
>>>> parse points that point to the sever unc names. So I might have
>>>>
>>>> domain.local/users/john --> \\server1\users\john
>>>> where domain.local/users is the DFS root and john is the re parse
>>>> point.
>>>>
>>>> This is accessed as \\domain.local\users\john and when the client reads
>>>> this it
>>>> retrieves the link destination and then opens \\server\users\john.
>>>>
>>>> If you open C:\Users on the DFS server you will see the folder "John"
>>>> this
>>>> is
>>>> the re parse point and if you try to open it you cannot because it is
>>>> not
>>>> a
>>>> folder and can only be open via its UNC name. However it does have NTFS
>>>> permissions and these must allow the end user to "read" the re parse
>>>> point
>>>> info.
>>>> Once this info has been read the client can redirect to the target
>>>> share.
>>>> The
>>>> target share also has NTFS permissions and these(plus the share
>>>> permissions)
>>>> determine what the user can do.
>>>>
>>>> It is enough to simply grant "Everyone" read on the re parse point
>>>> although you
>>>> may wish to use different permissions, especially if you want to use
>>>> ABE
>>>> to
>>>> control which links will be displayed to users.
>>>>
>>>> This would be true whatever the client XP, Vista and I presume Windows
>>>> 7.
>>>> It may
>>>> be just the Windows 7 user that does not have read permission to the re
>>>> parse
>>>> point.
>>>>
>>>>
>>>>>
>>>>>
>>>>><> wrote in message
>>>>>news:%237% l...
>>>>>> Hi all,
>>>>>>
>>>>>> I have a workstation client running Windows 7 that is having
>>>>>> difficulty
>>>>>> opening any documents from the My Documents folder. We are running
>>>>>> Windows
>>>>>> 2003 SP2 Domain Controller that has all the users My Documents
>>>>>> re-directed
>>>>>> via GPO to a DFS based file share. I have verified all the NTFS &
>>>>>> Share
>>>>>> permissions are correct. All other clients (Windows XP) have no
>>>>>> problems.
>>>>>> However the Windows 7 client cannot open any document (Word, Excel,
>>>>>> PDF,
>>>>>> Text etc) and gets an "Access Denied" message. What is weird is if I
>>>>>> navigate directly to the actual server file share (one of the target
>>>>>> roots
>>>>>> of the DFS) then everything works fine. I am able to open and save
>>>>>> files
>>>>>> OK.
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>
>>>> --
>>>> Dave Mills
>>>> There are 10 types of people, those that understand binary and those
>>>> that
>>>> don't.
>>>
>> --
>> Dave Mills
>> There are 10 types of people, those that understand binary and those that
>> don't.
>
>

Sorry fro delay, been on vacation.


On Wed, 3 Jun 2009 12:11:54 -0500, <> wrote:

>OK, I dug a little deeper and found some additional interesting results:
>
>One of the folder targets on the dfs file share is CORPVS01.
>
>If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
>able to copy files to that location, but everytime I try to open a file
>(Word, Excel, PDF etc.) I get an access denied error.
>
>Now however if I access the share via
>\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.
>
>Any ideas??

On the face of it this looks like a problem with simple sharing not DFS but I
think you have been changing the names to hide the real names. I did once get
into a lot of trouble when I first users W2k DFS and used the same name for the
DSF root as I had for and existing file share on the DFS server. I cannot
remember the details but the name space became very confused and so sold the
problem I had to change the names everywhere and could never reuse the old share
name without problems. This was in a test lab so I eventually abandoned it and
have been careful not to repeat the name conflict again.



><> wrote in message
>news:...
>> See below my responses with [PR].
>>
>>
>> "DaveMills" <> wrote in message
>> news:...
>>> On Wed, 27 May 2009 12:05:38 -0500, <> wrote:
>>>
>>>>Few questions:
>>>>
>>>>1. This is working fine for Windows XP clients. So why would permissions
>>>>need to be any different for Windows 7 clients?
>>>
>>> Sorry, I did not notice this. I have only just started trying W7 so have
>>> no
>>> experience.
>>
>> [PR] - yea this is going to be an issue with W7 if this doesnt work.
>>
>>>
>>>>
>>>>2. Here is my setup:
>>>>
>>>>I have 3 file servers that host not only the file shares but also the DFS
>>>>Roots. The 3 file servers are in 3 different AD Sites (based on network
>>>>subnet) and so the concept is clients get re-directed to the file server
>>>>closest to them in their site.
>>>>
>>>>\\domain.local\DFS - root namespace
>>>>
>>>>\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
>>>>
>>>>NTFS Permissions for DFS root folder on each of the namespace servers -
>>>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>>>Everyone -
>>>>Read, System - FULL
>>>
>>> Seems OK, Having Domain User - FULL can cause problems as a user can then
>>> put
>>> files in the DFS root instead of the targets which you may not want, i.e.
>>> save
>>> word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
>>
>>
>> [PR] - I changed it to FULL recently to see if that resolves the W7 issue.
>>
>>>>
>>>>SHARE Permissions for DFS root folder on each of the namespace servers -
>>>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>>>Everyone -
>>>>Read, System - FULL
>>>>
>>>>\\domain.local\DFS\Users - dfs folder
>>> I would call this the DFS Link, i.e. not a folder but a reparse point.
>>
>> [PR] - OK.
>>
>>>>
>>>>\\server1\Users \\server2\Users \\server3\Users - folder targets for
>>>>Users
>>>>DFS Folder
>>> This is not a DFS folder at all but simply the normal shared folder that
>>> are the
>>> targets. Am I correct?
>>
>> [PR] - Correct.
>>
>>>>
>>>>
>>>>NTFS Permissions for Users folder on each folder target server - Domain
>>>>Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files
>>>>Only,
>>>>Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
>>>>Attributes, Create Folders/Append Data - This Folder Only
>>>
>>> Seems OK, Users can create folders then have F/C as the owners.
>>>
>>> Now I have no idea why Win7 has a problems with all this. I sure hope an
>>> answer
>>> is found as I wish to use Win7 once it goes gold and this issue would be
>>> a real
>>> problem. Please let us know if you find the answer.
>>
>> [PR] - I hope I find the answer. I will post when I do.
>>
>>>>
>>>>SHARE Permissions for Users folder on each folder target server - Domain
>>>>Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
>>>>
>>>>Thanks!!
>>>>
>>>>
>>>>"DaveMills" <> wrote in message
>>>>news: m...
>>>>> On Thu, 21 May 2009 12:18:47 -0500, <> wrote:
>>>>>
>>>>>>OK dug a little deeper and the issues appears to be DFS. I can browse
>>>>>>directly to the target folder on either of the 2 target servers and
>>>>>>open
>>>>>>files fine. If however I try to browse via the dfs based name share
>>>>>>then I
>>>>>>get an access denied.
>>>>>>
>>>>>>For example:
>>>>>>
>>>>>>\\server1\users\param\My Documents\test.doc - no problem
>>>>>>\\server2\users\param\My Documents\test.doc - no problem
>>>>>>
>>>>>>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>>>>>>
>>>>>>Any ideas?
>>>>>
>>>>> The DFS root folder will contain the links. These look like folders but
>>>>> are re
>>>>> parse points that point to the sever unc names. So I might have
>>>>>
>>>>> domain.local/users/john --> \\server1\users\john
>>>>> where domain.local/users is the DFS root and john is the re parse
>>>>> point.
>>>>>
>>>>> This is accessed as \\domain.local\users\john and when the client reads
>>>>> this it
>>>>> retrieves the link destination and then opens \\server\users\john.
>>>>>
>>>>> If you open C:\Users on the DFS server you will see the folder "John"
>>>>> this
>>>>> is
>>>>> the re parse point and if you try to open it you cannot because it is
>>>>> not
>>>>> a
>>>>> folder and can only be open via its UNC name. However it does have NTFS
>>>>> permissions and these must allow the end user to "read" the re parse
>>>>> point
>>>>> info.
>>>>> Once this info has been read the client can redirect to the target
>>>>> share.
>>>>> The
>>>>> target share also has NTFS permissions and these(plus the share
>>>>> permissions)
>>>>> determine what the user can do.
>>>>>
>>>>> It is enough to simply grant "Everyone" read on the re parse point
>>>>> although you
>>>>> may wish to use different permissions, especially if you want to use
>>>>> ABE
>>>>> to
>>>>> control which links will be displayed to users.
>>>>>
>>>>> This would be true whatever the client XP, Vista and I presume Windows
>>>>> 7.
>>>>> It may
>>>>> be just the Windows 7 user that does not have read permission to the re
>>>>> parse
>>>>> point.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>><> wrote in message
>>>>>>news:%237% bl...
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I have a workstation client running Windows 7 that is having
>>>>>>> difficulty
>>>>>>> opening any documents from the My Documents folder. We are running
>>>>>>> Windows
>>>>>>> 2003 SP2 Domain Controller that has all the users My Documents
>>>>>>> re-directed
>>>>>>> via GPO to a DFS based file share. I have verified all the NTFS &
>>>>>>> Share
>>>>>>> permissions are correct. All other clients (Windows XP) have no
>>>>>>> problems.
>>>>>>> However the Windows 7 client cannot open any document (Word, Excel,
>>>>>>> PDF,
>>>>>>> Text etc) and gets an "Access Denied" message. What is weird is if I
>>>>>>> navigate directly to the actual server file share (one of the target
>>>>>>> roots
>>>>>>> of the DFS) then everything works fine. I am able to open and save
>>>>>>> files
>>>>>>> OK.
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>
>>>>> --
>>>>> Dave Mills
>>>>> There are 10 types of people, those that understand binary and those
>>>>> that
>>>>> don't.
>>>>
>>> --
>>> Dave Mills
>>> There are 10 types of people, those that understand binary and those that
>>> don't.
>>
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Yea, I have tried every possibility. Weird thing is I have another Windows
XP machine and I dont have any problems on it.

It almost seems like when Windows 7 tries to open a file it needs
permissions to all the parent folders??

\\servername\sharename\username\My Documents - the user has full access to
only the user's folder and any child folders below it.

Could this be the problem? All other file shares we have that are non My
Documents related work fine.

Thanks!



"DaveMills" <> wrote in message
news:...
> Sorry fro delay, been on vacation.
>
>
> On Wed, 3 Jun 2009 12:11:54 -0500, <> wrote:
>
>>OK, I dug a little deeper and found some additional interesting results:
>>
>>One of the folder targets on the dfs file share is CORPVS01.
>>
>>If I access the share directly i.e. \\corpvs01\Users\param\My Documents I
>>am
>>able to copy files to that location, but everytime I try to open a file
>>(Word, Excel, PDF etc.) I get an access denied error.
>>
>>Now however if I access the share via
>>\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.
>>
>>Any ideas??
>
> On the face of it this looks like a problem with simple sharing not DFS
> but I
> think you have been changing the names to hide the real names. I did once
> get
> into a lot of trouble when I first users W2k DFS and used the same name
> for the
> DSF root as I had for and existing file share on the DFS server. I cannot
> remember the details but the name space became very confused and so sold
> the
> problem I had to change the names everywhere and could never reuse the old
> share
> name without problems. This was in a test lab so I eventually abandoned it
> and
> have been careful not to repeat the name conflict again.
>
>
>
>><> wrote in message
>>news:...
>>> See below my responses with [PR].
>>>
>>>
>>> "DaveMills" <> wrote in message
>>> news:...
>>>> On Wed, 27 May 2009 12:05:38 -0500, <> wrote:
>>>>
>>>>>Few questions:
>>>>>
>>>>>1. This is working fine for Windows XP clients. So why would
>>>>>permissions
>>>>>need to be any different for Windows 7 clients?
>>>>
>>>> Sorry, I did not notice this. I have only just started trying W7 so
>>>> have
>>>> no
>>>> experience.
>>>
>>> [PR] - yea this is going to be an issue with W7 if this doesnt work.
>>>
>>>>
>>>>>
>>>>>2. Here is my setup:
>>>>>
>>>>>I have 3 file servers that host not only the file shares but also the
>>>>>DFS
>>>>>Roots. The 3 file servers are in 3 different AD Sites (based on network
>>>>>subnet) and so the concept is clients get re-directed to the file
>>>>>server
>>>>>closest to them in their site.
>>>>>
>>>>>\\domain.local\DFS - root namespace
>>>>>
>>>>>\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
>>>>>
>>>>>NTFS Permissions for DFS root folder on each of the namespace servers -
>>>>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>>>>Everyone -
>>>>>Read, System - FULL
>>>>
>>>> Seems OK, Having Domain User - FULL can cause problems as a user can
>>>> then
>>>> put
>>>> files in the DFS root instead of the targets which you may not want,
>>>> i.e.
>>>> save
>>>> word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
>>>
>>>
>>> [PR] - I changed it to FULL recently to see if that resolves the W7
>>> issue.
>>>
>>>>>
>>>>>SHARE Permissions for DFS root folder on each of the namespace
>>>>>servers -
>>>>>Administrators - FULL, Domain Admins - FULL, Domain Users - FULL,
>>>>>Everyone -
>>>>>Read, System - FULL
>>>>>
>>>>>\\domain.local\DFS\Users - dfs folder
>>>> I would call this the DFS Link, i.e. not a folder but a reparse point.
>>>
>>> [PR] - OK.
>>>
>>>>>
>>>>>\\server1\Users \\server2\Users \\server3\Users - folder targets for
>>>>>Users
>>>>>DFS Folder
>>>> This is not a DFS folder at all but simply the normal shared folder
>>>> that
>>>> are the
>>>> targets. Am I correct?
>>>
>>> [PR] - Correct.
>>>
>>>>>
>>>>>
>>>>>NTFS Permissions for Users folder on each folder target server - Domain
>>>>>Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files
>>>>>Only,
>>>>>Domain Users - Traverse Folder/Execute File, List Folder/Read Data,
>>>>>Read
>>>>>Attributes, Create Folders/Append Data - This Folder Only
>>>>
>>>> Seems OK, Users can create folders then have F/C as the owners.
>>>>
>>>> Now I have no idea why Win7 has a problems with all this. I sure hope
>>>> an
>>>> answer
>>>> is found as I wish to use Win7 once it goes gold and this issue would
>>>> be
>>>> a real
>>>> problem. Please let us know if you find the answer.
>>>
>>> [PR] - I hope I find the answer. I will post when I do.
>>>
>>>>>
>>>>>SHARE Permissions for Users folder on each folder target server -
>>>>>Domain
>>>>>Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
>>>>>
>>>>>Thanks!!
>>>>>
>>>>>
>>>>>"DaveMills" <> wrote in message
>>>>>news: om...
>>>>>> On Thu, 21 May 2009 12:18:47 -0500, <> wrote:
>>>>>>
>>>>>>>OK dug a little deeper and the issues appears to be DFS. I can browse
>>>>>>>directly to the target folder on either of the 2 target servers and
>>>>>>>open
>>>>>>>files fine. If however I try to browse via the dfs based name share
>>>>>>>then I
>>>>>>>get an access denied.
>>>>>>>
>>>>>>>For example:
>>>>>>>
>>>>>>>\\server1\users\param\My Documents\test.doc - no problem
>>>>>>>\\server2\users\param\My Documents\test.doc - no problem
>>>>>>>
>>>>>>>\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
>>>>>>>
>>>>>>>Any ideas?
>>>>>>
>>>>>> The DFS root folder will contain the links. These look like folders
>>>>>> but
>>>>>> are re
>>>>>> parse points that point to the sever unc names. So I might have
>>>>>>
>>>>>> domain.local/users/john --> \\server1\users\john
>>>>>> where domain.local/users is the DFS root and john is the re parse
>>>>>> point.
>>>>>>
>>>>>> This is accessed as \\domain.local\users\john and when the client
>>>>>> reads
>>>>>> this it
>>>>>> retrieves the link destination and then opens \\server\users\john.
>>>>>>
>>>>>> If you open C:\Users on the DFS server you will see the folder "John"
>>>>>> this
>>>>>> is
>>>>>> the re parse point and if you try to open it you cannot because it is
>>>>>> not
>>>>>> a
>>>>>> folder and can only be open via its UNC name. However it does have
>>>>>> NTFS
>>>>>> permissions and these must allow the end user to "read" the re parse
>>>>>> point
>>>>>> info.
>>>>>> Once this info has been read the client can redirect to the target
>>>>>> share.
>>>>>> The
>>>>>> target share also has NTFS permissions and these(plus the share
>>>>>> permissions)
>>>>>> determine what the user can do.
>>>>>>
>>>>>> It is enough to simply grant "Everyone" read on the re parse point
>>>>>> although you
>>>>>> may wish to use different permissions, especially if you want to use
>>>>>> ABE
>>>>>> to
>>>>>> control which links will be displayed to users.
>>>>>>
>>>>>> This would be true whatever the client XP, Vista and I presume
>>>>>> Windows
>>>>>> 7.
>>>>>> It may
>>>>>> be just the Windows 7 user that does not have read permission to the
>>>>>> re
>>>>>> parse
>>>>>> point.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>><> wrote in message
>>>>>>>news:%237%. gbl...
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I have a workstation client running Windows 7 that is having
>>>>>>>> difficulty
>>>>>>>> opening any documents from the My Documents folder. We are running
>>>>>>>> Windows
>>>>>>>> 2003 SP2 Domain Controller that has all the users My Documents
>>>>>>>> re-directed
>>>>>>>> via GPO to a DFS based file share. I have verified all the NTFS &
>>>>>>>> Share
>>>>>>>> permissions are correct. All other clients (Windows XP) have no
>>>>>>>> problems.
>>>>>>>> However the Windows 7 client cannot open any document (Word, Excel,
>>>>>>>> PDF,
>>>>>>>> Text etc) and gets an "Access Denied" message. What is weird is if
>>>>>>>> I
>>>>>>>> navigate directly to the actual server file share (one of the
>>>>>>>> target
>>>>>>>> roots
>>>>>>>> of the DFS) then everything works fine. I am able to open and save
>>>>>>>> files
>>>>>>>> OK.
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Dave Mills
>>>>>> There are 10 types of people, those that understand binary and those
>>>>>> that
>>>>>> don't.
>>>>>
>>>> --
>>>> Dave Mills
>>>> There are 10 types of people, those that understand binary and those
>>>> that
>>>> don't.
>>>
>>>
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.