VPN Issues (or maybe permissions or maybe accounts, who knows? It is a bunch of weirdness)

Please bear with me here, this is going to get a little complicated.

I have a customer who has SBS 2k3 R2 Std. behind a Watchguard Firebox. They
came to me a couple years ago and had hired a team of programmers in India
who needed access to the system. We wanted this to be as simple as possible
for the end user so I setup the SBS box to act as a PPTP endpoint and
forwarded the traffic through the firebox to the SBS server. We also set
various permissions on our server that restrict India to only one share and
only a couple of folders within that share. I have also added myself
(administrator) and one other user (will call him "user") to the mobile
users group so that we could utilize the VPN as well.

Recently a need came up for a user in London to need access as well. They
would access the same share that the India team access but we did not want
London to have access to all the folders that India does. I created a new
user, made them a part of the mobile users group and verified that London
could connect to the VPN as well. No problems so far.

I then went to the directory structure that they will need access to. This
is a top level folder that is shared with three folders underneath it. India
needs access to everything, London only needs access to one folder. I went
to the two folders that London should not access, added the user to the file
level permission and explicitly denied her access.

When I tested this by connecting as London via the VPN I was still able to
access all of the files stored in any of the folders. Admittedly I did not
try to write anything but I was able to view and open files. I would also
like to point out that I have run the effective permissions tool on the
folders in question and it confirms that London does not have access to the
folder. I then experimented around and discovered that if I deny permission
to the India user, all users in the mobile users group lose access.
Including Administrator. Give India access again and all members get access,
even if they are explicitly denied it.

There had been some other odd behavior with this folder in the past. (one
user seemed to occasionally lose the ability to rename files, I would
re-apply permissions without changin anything and the problem would go away)
This lead me to suspect that there could be ACL corruption of some sort. In
order to recreate the ACL's, I took the entire contents of the folder and
copied them off to a Linux server. (Actually a NAS box running some kind of
embeded Linux) I then shift-deleted then entire directory structure off the
SBS box, created a new top level directory and copied all the files back to
the SBS box.

I reset permissions and shares and viola! I have the exact same behavior.

I have also tested this locally and it does not happen. This behavior only
occurs when connected via the VPN.

I am stumped. Does anyone have any suggestions for me? They will be
appreciated.

 

Did you deny access on those two folders for the London user on the share
level as well as the NTFS level?

 

Those two folders are not explicitly shared. The top level folder (the one
right above them) is shared.

Like this:

c:\share\deny1
c:\share\deny2
c:\share\Accept

The share folder is shared. The others are the ones I am trying to control
permissions on.

 

That didn't answer my question about NTFS permissions. Did you deny access
for the London user on the NTFS permission?

 

I believe that the question actually was did you deny the share permissions
AS WELL as the NTFS level.

It appeared that you understood that they were denied access at the NTFS
level.

If you re-read the original post, you will find this line "I went to the two
folders that London should not access, added the user to the file level
permission and explicitly denied her access."

Sorry if I misunderstood you, but the answer is yes the user was explicitly
denied permissions at the NTFS level.

 

Sorry there was a misunderstanding. My original answer was more a general
question than a partial one.

The next test I would do on both of those subfolders is:
Go to the NTFS security tab
Uncheck the "inherit" checkbox und the advanced tab and select the copy
option.
Remove all users except the group from India, Admin and System (if present)
Go to the advanced tab and check to replace permission on all child objects
etc...

Test the access for the London user again.
Do you now get an "access denied'?

If so, go back to the 2 folders security tab,
Add the domain user group to it with read access
add the London user to it with "deny all"

Test again if the London user can access.

Let me know what your results are.

 

The plot thickens...(and I think that I am on my way to a solution)

I deleted the India user and all seems to perform as expected now. I am now
going to recreate the India user and see what happens.

 

I feel a little slow for not having picked this up earlier.

The problem had nothing to do with the server, permissions or really the
VPN.

It was my client computer. I would connect to the VPN as India, go
start-run-\\server and it would ask me for log in credentials. I would type
in the credentials for India and go about my business.

I would then disconnect and reconnect to the VPN as London, go
start-run-\\server and it would connect to the server USING THE INDIA
CREDENTIALS.

I am 100% certain that had I rebooted between changing VPN logins that it
would have worked the entire time.

Thanks to everyone who attempted to help. I must always remember, when
everything is setup correctly and the computer does not produce the correct
results, the user is to blame.

 

I'm glad you figured it out.

--
Claus