Folder permissions not acting like they should

Discussion in 'Active Directory' started by MattLock, Jul 26, 2006.

  1. MattLock

    MattLock Guest

    I have a Finance folder that users need access to. So, in keeping with
    Microsoft's best practice, I've created a group in AD and I added the users
    to the group. I added the newly created group to the ACL of the Finance
    folder. But that doesn't work, the users get an "access denied" error. The
    group has modify privileges on the Finance ACL. Here's what's cofusing to
    me; I have groups that I've created 6+ months ago that function properly. I
    created the IT group over 2 years ago and when I add it to the Finance folder
    ACL, all of the users belonging to IT can access the folder. I have tried
    changing the type of group from a domain local to global and to universal.
    Even though that shouldn't affect my situation because I'm running a single
    domain. This situation is making me feel like I should be dragging my
    knuckles and scratching my armpits.

    Your thoughts?
    MattLock, Jul 26, 2006
    1. Advertisements

  2. MattLock

    jwd Guest

    Hi MattLock,

    You say the group is new, how new? Have your users logged out and in again
    since you created the group? If they have not then the groups SID will not
    be added to the user access token which they received at logon. With no
    matching SID in the token and ACL it they will be denied access.

    This is different to assigning a permission directly to a user as the users
    SID will match the ACL and they will have access straight away.

    Hope this helps

    Joe Dunn MCSE
    jwd, Jul 26, 2006
    1. Advertisements

  3. MattLock

    MattLock Guest

    Thanx jwd, that did it. I'm embarrased to say that I violated the sacred
    code of IT Guy Troubleshooting. Seciton says "...when all else
    fails, reboot."

    MattLock, Jul 26, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.