this just doesnt work ??? groups


I've tried this on 2 different setups now and it just doesnt seem to work or Im missing something...


I have been added to a local global security global security group ( called mymebers ). A folder on a DC is given permissions to be accesses by domain local security group ( called whocanaccess ). I've added ( mymembers ) to ( whocanaccess ) with full permissions.

Now in the properties of ( whocanaccess ) I can see ( mymembers ) listed. If I go to the properties of ( mymembers ) I can see myself in the members tab and ( whocanaccess ) in the members of tab. So it looks right.

However when I go to a pc and try to access the folder Im denied, why? Am I missing something?

Hope the explaination makes sense icon_confused.gif

Help its the last thing Im stuck on icon_redface.gif
Remember I.T. means In Theory ( it should works )


  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Did you log off/log on after adding yourself to the group? You may need to be assigned a new token from the DC with the additional group membership.

    Trying to think if there is something else.... Brain ...not...working....before ready.... sleeping.gif
    All things are possible, only believe.
  • eurotrasheurotrash Member Posts: 817
    Effective Permissions tab.
    witty comment
  • geekiegeekie Member Posts: 391
    However when I go to a pc and try to access the folder Im denied, why?

    I take it your logged on to the domain and not locally when you try and access the directory?

    Have you had a look at the effective permissions of your user ID or the group you are using?
    Up Next : Not sure :o
  • deneb829deneb829 Member Posts: 292
    Is this a share on the DC or are you just trying to access the folder via UNC? Try and access it locally first - if you can, then it's probably the share permissions causing the problems. Check your share and NTFS permissions and remember that the most restrictive permissions apply.
    Share Permission: Deny
    NTFS Permission: Full Control
    Result: Deny
    There are only 10 types of people in this world - People who understand binary and people who do not.
  • elover_jmelover_jm Member Posts: 349
    check ur share permision
  • SmallguySmallguy Member Posts: 597
    definately look at effective permissions and the share permisions

    FYI Miscrosoft recommends you only use one or the other for restricting access. and that tyou use NTFS permission for restricting access on NTFS volumes (obvious right?) and Share permissiong for Fat volumes (since NTFS will not work.

    so on a typical share you wolud do the following

    Share Permission : Everyone group = Full control

    Ntfs permssions : IT group = full control
    staff = read only

    the result is the most restictive so IT cna do what ever they want and Staff can only read.

    if you use both sahe and NTFS troulbshooting permssion issues sucks..... my company did this and it have become a nightmare for me to troubleshoot and unfortunately I can not change it icon_sad.gif due ot a managerial decission.
  • amyamandaallenamyamandaallen Member Posts: 316
    sprkymrk wrote:
    Did you log off/log on after adding yourself to the group? You may need to be assigned a new token from the DC with the additional group membership.


    It was just the bloody reboot on the local PC to make it all work icon_mad.gif

    Oh well look on it as I did get it right and followed the problem through to the end ( including when information gets missed when following instructions! )

    Many thanks for the assist all.

    By the way isnt there a DOS command for checking which groups someone is a member off? DSGET or something? Anyone know the syntax as mine didnt make sense.

    Remember I.T. means In Theory ( it should works )
  • elover_jmelover_jm Member Posts: 349
    Thx for wasting our time... :D

    oooh and read the 290 book for the commands...lot of em there

    or go to
  • amyamandaallenamyamandaallen Member Posts: 316
    have the ms press book for the 290

    have read the command but as I said the syntax doesnt make sense
    Remember I.T. means In Theory ( it should works )
  • APAAPA Member Posts: 959
    dsget user "CN=Adrian Arumugam,CN=Users,DC=Microsoft,DC=com" -memberof

    if you use the -expand switch as well it shows groups user belongs to through group nesting.

    CN= Users common name
    DC= Domain

    I've only managed to get dsget working if the user is in one of the builtin folders(like above CN=Users, which is the builtin Users folder)...... When I try and use dsget on a user in an OU that you have specifically created it keeps failing.... anyone got some ideas?

    CCNA | CCNA:Security | CCNP | CCIP
  • jiejiejiejie Registered Users Posts: 1 ■□□□□□□□□□
    Hello Everyone,
    I do not understand regarding the NTFS and SHARED PERMISSION.
    How do i know that READ / CHANGE / FULL CONTROL of shared permission? They are Least restrictive OR the most restrictive
    as well as the NTFS permission (Full control / Modify / Read & Execute and so on....) which one is the most restrictive permission or least restrictive permission.
Sign In or Register to comment.