Unable to access file

Devilsbane

Recently I put a request in to disable permission inheritance on a folder, remove a group (that I among many other people were part of) and then to add a group that just had 3 people in it. I wish I had the access to do this myself, but that is a different story.

Anyway, yesterday the change was implemented and I found that I couldn't create a file. The new group was given the correct permissions, I was a member of this group, and the share permissions were not edited. When I used the effective permissions features, it said I should have Full Control. Which is untrue, I should have only had modify but really just had read (Domain users had and still have read on the folder). There were no deny permissions anywhere.

Suspecting that this group was just created, some time might be needed to replicate through. Sure enough, today I can create files.

I feel like a noob here, but can someone explain this behavior?

instant000

Devilsbane wrote: »

Recently I put a request in to disable permission inheritance on a folder, remove a group (that I among many other people were part of) and then to add a group that just had 3 people in it. I wish I had the access to do this myself, but that is a different story.

Anyway, yesterday the change was implemented and I found that I couldn't create a file. The new group was given the correct permissions, I was a member of this group, and the share permissions were not edited. When I used the effective permissions features, it said I should have Full Control. Which is untrue, I should have only had modify but really just had read (Domain users had and still have read on the folder). There were no deny permissions anywhere.

Suspecting that this group was just created, some time might be needed to replicate through. Sure enough, today I can create files.

I feel like a noob here, but can someone explain this behavior?

There is a lag time for replication, depending upon if you are on the same site or not. Probably the best place to pose this question would be in the Windows Server certification forums.

blargoe

If you unsuccessfully accessed this location, and didn't log out of your computer or disconnect/reconnect your connection to that network share once the permissions were corrected, your computer will remember being denied access to that location (I don't know how long it will show this behavior).

Might this have applied in your situation?

instant000

blargoe wrote: »

If you unsuccessfully accessed this location, and didn't log out of your computer or disconnect/reconnect your connection to that network share once the permissions were corrected, your computer will remember being denied access to that location (I don't know how long it will show this behavior).

Might this have applied in your situation?

blargoe: Great point!

Reminds me of the IT Crowd: "Did you try turning it off and on again?"

Devilsbane

Same site, the server I checked for the group and membership was the PDC. I never unsucessfully accessed the folder. I created the folder about a week ago and have had write access since the day it was made. The first time I failed to write was after this change was made, but even then I still had access.

blargoe wrote: »

your computer will remember being denied access to that location (I don't know how long it will show this behavior).

If you are referring to the DNS cache, successful attempts are remembered for 86,400 seconds (1 day) and unsuccessful attempts are remembered for 15 minutes.

But I don't think this applies, I never lost access to the server, or even write access to the share. Just to that one folder that permissions were changed on.

crrussell3

Are you the only person out of the new group that is affected by this change in permissions?

Have you checked that when they added the new group, they didn't set the permissions to only This Folder, instead of This Folder, subfolder, and files?

blargoe

Devilsbane wrote: »

If you are referring to the DNS cache, successful attempts are remembered for 86,400 seconds (1 day) and unsuccessful attempts are remembered for 15 minutes.

But I don't think this applies, I never lost access to the server, or even write access to the share. Just to that one folder that permissions were changed on.

No, not the DNS cache. It's the way NTFS permissions are read by Windows. I had a hard time finding something that explains this sufficiently, finally found this article:

NTFS Permissions

Consider the same user/helpdesk situation discussed earlier. When the support person makes the change to the permissions on the file the user needs access to, the change is immediately saved in that file's ACL. The user can then access the file without having to log out and back in.

This is only the case when assigning permissions to users for file or folder resources. When a user is added to a group to gain access to additional resources or otherwise, the user must log out and back in to access those resources. That is because NTFS permissions granted to groups are read in a different manner.

Devilsbane

blargoe wrote: »

No, not the DNS cache. It's the way NTFS permissions are read by Windows. I had a hard time finding something that explains this sufficiently, finally found this article:

NTFS Permissions

I think I know what you are talking about. I remember reading somewhere that when you logon, Windows takes your SID along with all of the SIDS of the groups that you are a member of and creates a security token. This sounds like the most likely culprit. I've always just dismissed the idea because in practice I have never seen it be a problem. Normally when I add myself to a group or something I have instantly received those permissions.

But I think you might be onto something here.