Windows 7 Clients unable to traverse dfs folder hierarchy

crrussell3crrussell3 Member Posts: 561
in Off-Topic
We are currently experiencing an issue that for some reason has stumped me and I can't determine how to continue troubleshooting it.


Our Windows 7 clients (standard users) are no longer able to traverse our dfs folder structure, but Windows XP (same user) do not experience said issue. They are still able to access what they have permission to by\\unc, shortcut, or mapped drive. I am not sure how long this issue has persisted, as it was just reported yesterday. No permissions have been changed.
I created a folder structure with the same permissions and they don't experience the issue. These permissions have been in place for 18 months with no issues until now.
Permissions taken from here (KB27443):
  • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
  • System - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone - Read Attributes (Apply onto: This Folder Only)
Nothing appears to be corrupt, I don't get any error messages beyond the standard unable to access which points to a permissions problem. I am toying with removing and reapplying the permission, but not sure if that will force a full replication of dfs (the permissions are This Folder Only).
  • Windows Server 2008 R2 w/DFS 2008
  • Windows 7 SP1 fully patched
  • Windows XP SP3 fully patched
MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration
· Share on FacebookShare on Twitter

Comments

  • higherhohigherho Member Posts: 882
    crrussell3 wrote: »
    We are currently experiencing an issue that for some reason has stumped me and I can't determine how to continue troubleshooting it.


    Our Windows 7 clients (standard users) are no longer able to traverse our dfs folder structure, but Windows XP (same user) do not experience said issue. They are still able to access what they have permission to by\\unc, shortcut, or mapped drive. I am not sure how long this issue has persisted, as it was just reported yesterday. No permissions have been changed.
    I created a folder structure with the same permissions and they don't experience the issue. These permissions have been in place for 18 months with no issues until now.
    Permissions taken from here (KB27443):
    • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
    • System - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
    • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
    • Everyone - Read Attributes (Apply onto: This Folder Only)
    Nothing appears to be corrupt, I don't get any error messages beyond the standard unable to access which points to a permissions problem. I am toying with removing and reapplying the permission, but not sure if that will force a full replication of dfs (the permissions are This Folder Only).
    • Windows Server 2008 R2 w/DFS 2008
    • Windows 7 SP1 fully patched
    • Windows XP SP3 fully patched

    What errors do you get in your audit logs on the users machine and the file server? Also I would HIGHLY recommend changing the following permissions;

    • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
    • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
    • Everyone - Read Attributes (Apply onto: This Folder Only)
    You should never use the "Everyone" group. To be you should use the authenticated users group.
    · Share on FacebookShare on Twitter
  • crrussell3crrussell3 Member Posts: 561
    This is the only event failure being logged (I have failures being specifically targeted to my testuser account):

    A handle to an object was requested.

    Subject:
    Security ID: DOMAIN\testuser
    Account Name: testuser
    Account Domain: DOMAIN
    Logon ID: 0x18e195c0

    Object:
    Object Server: Security
    Object Type: File
    Object Name: D:\*****\users
    Handle ID: 0x0

    Process Information:
    Process ID: 0x4
    Process Name:

    Access Request Information:
    Transaction ID: {00000000-0000-0000-0000-000000000000}
    Accesses: SYNCHRONIZE
    ReadData (or ListDirectory)
    ReadAttributes

    Access Reasons: SYNCHRONIZE: Not granted
    ReadData (or ListDirectory): Granted by Dicon_sad.gifA;;CCLO;;;WD)
    ReadAttributes: Granted by ACE on parent folder Dicon_sad.gifA;;0x100081;;;WD)

    Access Mask: 0x100081
    Privileges Used for Access Check: -
    Restricted SID Count: 0
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
    · Share on FacebookShare on Twitter
Sign In or Register to comment.