q:sharing and domain local and global group problem
rebelx
Member Posts: 9 ■□□□□□□□□□
hi
i have a question about global and doamin local and sharing
i have create a global group and add users to it and them i ve created a domin local group and set global group as a member of domain local group
then i create folder and shared and allowed domain local group to have access to the shared folder
when a domain global user tried to access the folder he has a deny access
my question is should he be able to access the folder because he is a member of the global group which is a member of domain local group which has the access to the folder
please help im confused all the way
i have a question about global and doamin local and sharing
i have create a global group and add users to it and them i ve created a domin local group and set global group as a member of domain local group
then i create folder and shared and allowed domain local group to have access to the shared folder
when a domain global user tried to access the folder he has a deny access
my question is should he be able to access the folder because he is a member of the global group which is a member of domain local group which has the access to the folder
please help im confused all the way
Comments
-
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
So you made a domain local group and put a global group inside of it, and a member of that global group cannot access a resource that the domain local group has access to? That should work.
I believe group membership is determined at logon, was this user logged on while you did this? If so, you might want to try logging off and then back on. Are there any other permissions (i.e. deny) on the folder that might be interfering with this? -
royal
Member Posts: 3,352 ■■■■□□□□□□
dynamik wrote:I believe group membership is determined at logon
That is correct. Any time a user logs on a token for this user is built. If you are in mixed mode, a Global Catalog does not have to be reachable because Universal Groups do not have to be checked since Mixed Mode does not allow Universal Security Groups to be created which could alter the token. When you're in Native Mode, a Global Catalog does have to be checked for Universal Security Groups (though this can be modified in registry/GPO).
And yes, nesting a Global Group inside a Domain Local Group should grant access. I bet it's due to the token not being updated from not doing a log off and a log on to rebuild this security token.
Try using the effective permissions. That may give you a hint of the user is being denied access. Take into consideration that effective permissions are not 100% because it doesn't take into consideration built-in groups. Also, share permissions are not considered.“For success, attitude is equally as important as ability.” - Harry F. Banks -
astorrs
Member Posts: 3,139 ■■■■■■□□□□
Also you can quickly check on the client if the token contains the relevant groups by running the following from a command prompt:
whoami /groups | find "<group you're looking for>"
Depending on the O/S and service pack level (and whether or not the resource kit/support tools are installed on older ones), the whoami command may or may not be available, but it's always worth a shot.
-
royal
Member Posts: 3,352 ■■■■□□□□□□
Yep, that's the method I always check to see whether I'm in the correct group. Especially since it shows nested groups.
If you're not the user and want to check a remote user, you can do the following:
DSQUERY USER -samid loginname | DSGET USER -memberof -expand“For success, attitude is equally as important as ability.” - Harry F. Banks -
rebelx
Member Posts: 9 ■□□□□□□□□□
sorry for replaying late
problem solved thank you all for all the information
im really great full for your help
