VPN Issues (or maybe permissions or maybe accounts, who knows? It is a bunch of weirdness)

Discussion in 'Windows Small Business Server' started by JEC, Oct 26, 2007.

  1. JEC

    JEC Guest

    Please bear with me here, this is going to get a little complicated.

    I have a customer who has SBS 2k3 R2 Std. behind a Watchguard Firebox. They
    came to me a couple years ago and had hired a team of programmers in India
    who needed access to the system. We wanted this to be as simple as possible
    for the end user so I setup the SBS box to act as a PPTP endpoint and
    forwarded the traffic through the firebox to the SBS server. We also set
    various permissions on our server that restrict India to only one share and
    only a couple of folders within that share. I have also added myself
    (administrator) and one other user (will call him "user") to the mobile
    users group so that we could utilize the VPN as well.

    Recently a need came up for a user in London to need access as well. They
    would access the same share that the India team access but we did not want
    London to have access to all the folders that India does. I created a new
    user, made them a part of the mobile users group and verified that London
    could connect to the VPN as well. No problems so far.

    I then went to the directory structure that they will need access to. This
    is a top level folder that is shared with three folders underneath it. India
    needs access to everything, London only needs access to one folder. I went
    to the two folders that London should not access, added the user to the file
    level permission and explicitly denied her access.

    When I tested this by connecting as London via the VPN I was still able to
    access all of the files stored in any of the folders. Admittedly I did not
    try to write anything but I was able to view and open files. I would also
    like to point out that I have run the effective permissions tool on the
    folders in question and it confirms that London does not have access to the
    folder. I then experimented around and discovered that if I deny permission
    to the India user, all users in the mobile users group lose access.
    Including Administrator. Give India access again and all members get access,
    even if they are explicitly denied it.

    There had been some other odd behavior with this folder in the past. (one
    user seemed to occasionally lose the ability to rename files, I would
    re-apply permissions without changin anything and the problem would go away)
    This lead me to suspect that there could be ACL corruption of some sort. In
    order to recreate the ACL's, I took the entire contents of the folder and
    copied them off to a Linux server. (Actually a NAS box running some kind of
    embeded Linux) I then shift-deleted then entire directory structure off the
    SBS box, created a new top level directory and copied all the files back to
    the SBS box.

    I reset permissions and shares and viola! I have the exact same behavior.

    I have also tested this locally and it does not happen. This behavior only
    occurs when connected via the VPN.

    I am stumped. Does anyone have any suggestions for me? They will be
    appreciated.
     
    JEC, Oct 26, 2007
    #1
    1. Advertisements

  2. JEC

    Claus Guest

    Did you deny access on those two folders for the London user on the share
    level as well as the NTFS level?
     
    Claus, Oct 26, 2007
    #2
    1. Advertisements

  3. JEC

    JEC Guest

    Those two folders are not explicitly shared. The top level folder (the one
    right above them) is shared.

    Like this:

    c:\share\deny1
    c:\share\deny2
    c:\share\Accept

    The share folder is shared. The others are the ones I am trying to control
    permissions on.
     
    JEC, Oct 27, 2007
    #3
  4. JEC

    Claus Guest

    That didn't answer my question about NTFS permissions. Did you deny access
    for the London user on the NTFS permission?
     
    Claus, Oct 27, 2007
    #4
  5. JEC

    JEC Guest

    I believe that the question actually was did you deny the share permissions
    AS WELL as the NTFS level.

    It appeared that you understood that they were denied access at the NTFS
    level.

    If you re-read the original post, you will find this line "I went to the two
    folders that London should not access, added the user to the file level
    permission and explicitly denied her access."

    Sorry if I misunderstood you, but the answer is yes the user was explicitly
    denied permissions at the NTFS level.
     
    JEC, Oct 27, 2007
    #5
  6. JEC

    Claus Guest

    Sorry there was a misunderstanding. My original answer was more a general
    question than a partial one.

    The next test I would do on both of those subfolders is:
    Go to the NTFS security tab
    Uncheck the "inherit" checkbox und the advanced tab and select the copy
    option.
    Remove all users except the group from India, Admin and System (if present)
    Go to the advanced tab and check to replace permission on all child objects
    etc...

    Test the access for the London user again.
    Do you now get an "access denied'?

    If so, go back to the 2 folders security tab,
    Add the domain user group to it with read access
    add the London user to it with "deny all"

    Test again if the London user can access.

    Let me know what your results are.
     
    Claus, Oct 27, 2007
    #6
  7. JEC

    JEC Guest

    The plot thickens...(and I think that I am on my way to a solution)

    I deleted the India user and all seems to perform as expected now. I am now
    going to recreate the India user and see what happens.
     
    JEC, Oct 27, 2007
    #7
  8. JEC

    JEC Guest

    I feel a little slow for not having picked this up earlier.

    The problem had nothing to do with the server, permissions or really the
    VPN.

    It was my client computer. I would connect to the VPN as India, go
    start-run-\\server and it would ask me for log in credentials. I would type
    in the credentials for India and go about my business.

    I would then disconnect and reconnect to the VPN as London, go
    start-run-\\server and it would connect to the server USING THE INDIA
    CREDENTIALS.

    I am 100% certain that had I rebooted between changing VPN logins that it
    would have worked the entire time.

    Thanks to everyone who attempted to help. I must always remember, when
    everything is setup correctly and the computer does not produce the correct
    results, the user is to blame. :)
     
    JEC, Oct 28, 2007
    #8
  9. JEC

    Claus Guest

    I'm glad you figured it out.

    --
    Claus
     
    Claus, Oct 28, 2007
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.