q:sharing and domain local and global group problem

hi

i have a question about global and doamin local and sharing
i have create a global group and add users to it and them i ve created a domin local group and set global group as a member of domain local group
then i create folder and shared and allowed domain local group to have access to the shared folder

when a domain global user tried to access the folder he has a deny access
my question is should he be able to access the folder because he is a member of the global group which is a member of domain local group which has the access to the folder

please help im confused all the way

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

So you made a domain local group and put a global group inside of it, and a member of that global group cannot access a resource that the domain local group has access to? That should work.

I believe group membership is determined at logon, was this user logged on while you did this? If so, you might want to try logging off and then back on. Are there any other permissions (i.e. deny) on the folder that might be interfering with this?

royal

dynamik wrote:

I believe group membership is determined at logon

That is correct. Any time a user logs on a token for this user is built. If you are in mixed mode, a Global Catalog does not have to be reachable because Universal Groups do not have to be checked since Mixed Mode does not allow Universal Security Groups to be created which could alter the token. When you're in Native Mode, a Global Catalog does have to be checked for Universal Security Groups (though this can be modified in registry/GPO).

And yes, nesting a Global Group inside a Domain Local Group should grant access. I bet it's due to the token not being updated from not doing a log off and a log on to rebuild this security token.

Try using the effective permissions. That may give you a hint of the user is being denied access. Take into consideration that effective permissions are not 100% because it doesn't take into consideration built-in groups. Also, share permissions are not considered.

astorrs

Also you can quickly check on the client if the token contains the relevant groups by running the following from a command prompt:

whoami /groups | find "<group you're looking for>"

Depending on the O/S and service pack level (and whether or not the resource kit/support tools are installed on older ones), the whoami command may or may not be available, but it's always worth a shot.

royal

Yep, that's the method I always check to see whether I'm in the correct group. Especially since it shows nested groups.

If you're not the user and want to check a remote user, you can do the following:
DSQUERY USER -samid loginname | DSGET USER -memberof -expand

rebelx

sorry for replaying late

problem solved thank you all for all the information

im really great full for your help

Mishra

rebelx wrote:

sorry for replaying late

problem solved thank you all for all the information

im really great full for your help

Thanks for following up.