windows 7 - syn issue

Discussion in 'File Systems' started by Guest, May 19, 2009.

  1. Guest

    Guest Guest

    Hi all,

    I have a workstation client running Windows 7 that is having difficulty
    opening any documents from the My Documents folder. We are running Windows
    2003 SP2 Domain Controller that has all the users My Documents re-directed
    via GPO to a DFS based file share. I have verified all the NTFS & Share
    permissions are correct. All other clients (Windows XP) have no problems.
    However the Windows 7 client cannot open any document (Word, Excel, PDF,
    Text etc) and gets an "Access Denied" message. What is weird is if I
    navigate directly to the actual server file share (one of the target roots
    of the DFS) then everything works fine. I am able to open and save files OK.

    Any ideas?
    Guest, May 19, 2009
    1. Advertisements

  2. Guest

    Guest Guest

    OK dug a little deeper and the issues appears to be DFS. I can browse
    directly to the target folder on either of the 2 target servers and open
    files fine. If however I try to browse via the dfs based name share then I
    get an access denied.

    For example:

    \\server1\users\param\My Documents\test.doc - no problem
    \\server2\users\param\My Documents\test.doc - no problem

    \\domain.local\users\param\My Documents\test.doc - ACCESS DENIED

    Any ideas?
    Guest, May 21, 2009
    1. Advertisements

  3. Guest

    DaveMills Guest

    The DFS root folder will contain the links. These look like folders but are re
    parse points that point to the sever unc names. So I might have

    domain.local/users/john --> \\server1\users\john
    where domain.local/users is the DFS root and john is the re parse point.

    This is accessed as \\domain.local\users\john and when the client reads this it
    retrieves the link destination and then opens \\server\users\john.

    If you open C:\Users on the DFS server you will see the folder "John" this is
    the re parse point and if you try to open it you cannot because it is not a
    folder and can only be open via its UNC name. However it does have NTFS
    permissions and these must allow the end user to "read" the re parse point info.
    Once this info has been read the client can redirect to the target share. The
    target share also has NTFS permissions and these(plus the share permissions)
    determine what the user can do.

    It is enough to simply grant "Everyone" read on the re parse point although you
    may wish to use different permissions, especially if you want to use ABE to
    control which links will be displayed to users.

    This would be true whatever the client XP, Vista and I presume Windows 7. It may
    be just the Windows 7 user that does not have read permission to the re parse
    DaveMills, May 24, 2009
  4. Guest

    Guest Guest

    Few questions:

    1. This is working fine for Windows XP clients. So why would permissions
    need to be any different for Windows 7 clients?

    2. Here is my setup:

    I have 3 file servers that host not only the file shares but also the DFS
    Roots. The 3 file servers are in 3 different AD Sites (based on network
    subnet) and so the concept is clients get re-directed to the file server
    closest to them in their site.

    \\domain.local\DFS - root namespace

    \\server1\DFS \\server2\DFS \\server3\DFS - namespace servers

    NTFS Permissions for DFS root folder on each of the namespace servers -
    Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
    Read, System - FULL

    SHARE Permissions for DFS root folder on each of the namespace servers -
    Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
    Read, System - FULL

    \\domain.local\DFS\Users - dfs folder

    \\server1\Users \\server2\Users \\server3\Users - folder targets for Users
    DFS Folder

    NTFS Permissions for Users folder on each folder target server - Domain
    Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
    Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
    Attributes, Create Folders/Append Data - This Folder Only

    SHARE Permissions for Users folder on each folder target server - Domain
    Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read

    Guest, May 27, 2009
  5. Guest

    DaveMills Guest

    Sorry, I did not notice this. I have only just started trying W7 so have no
    Seems OK, Having Domain User - FULL can cause problems as a user can then put
    files in the DFS root instead of the targets which you may not want, i.e. save
    word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
    I would call this the DFS Link, i.e. not a folder but a reparse point.
    This is not a DFS folder at all but simply the normal shared folder that are the
    targets. Am I correct?
    Seems OK, Users can create folders then have F/C as the owners.

    Now I have no idea why Win7 has a problems with all this. I sure hope an answer
    is found as I wish to use Win7 once it goes gold and this issue would be a real
    problem. Please let us know if you find the answer.
    DaveMills, May 28, 2009
  6. Guest

    Guest Guest

    See below my responses with [PR].

    [PR] - yea this is going to be an issue with W7 if this doesnt work.

    [PR] - I changed it to FULL recently to see if that resolves the W7 issue.
    [PR] - OK.
    [PR] - Correct.
    [PR] - I hope I find the answer. I will post when I do.
    Guest, Jun 1, 2009
  7. Guest

    Guest Guest

    OK, I dug a little deeper and found some additional interesting results:

    One of the folder targets on the dfs file share is CORPVS01.

    If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
    able to copy files to that location, but everytime I try to open a file
    (Word, Excel, PDF etc.) I get an access denied error.

    Now however if I access the share via
    \\corpvs01.mydomain.local\Users\param\My Documents everything works OK.

    Any ideas??

    Guest, Jun 3, 2009
  8. Guest

    DaveMills Guest

    Sorry fro delay, been on vacation.

    On the face of it this looks like a problem with simple sharing not DFS but I
    think you have been changing the names to hide the real names. I did once get
    into a lot of trouble when I first users W2k DFS and used the same name for the
    DSF root as I had for and existing file share on the DFS server. I cannot
    remember the details but the name space became very confused and so sold the
    problem I had to change the names everywhere and could never reuse the old share
    name without problems. This was in a test lab so I eventually abandoned it and
    have been careful not to repeat the name conflict again.

    DaveMills, Jun 15, 2009
  9. Guest

    Guest Guest

    Yea, I have tried every possibility. Weird thing is I have another Windows
    XP machine and I dont have any problems on it.

    It almost seems like when Windows 7 tries to open a file it needs
    permissions to all the parent folders??

    \\servername\sharename\username\My Documents - the user has full access to
    only the user's folder and any child folders below it.

    Could this be the problem? All other file shares we have that are non My
    Documents related work fine.


    Guest, Jun 16, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.