3

We just recovered from a major hardware disaster, and had to restore all of our data from an offsite backup. In the process, we upgraded from a Windows Server 2008 R2 to a Windows Server 2012 R2 Standard file server.

We have one folder that houses nearly all of our more secure data, and in order to simplify and keep organized the various NTFS permissions on the various folders in this one main folder, I have created several custom security groups and added domain users to the groups as needed.

Here's where it's getting weird. These permissions are not working. No one can access the main folder when they're in a group that has been granted permission. However, if I grant permissions to individual domain users, they are able to access the folder.

I have verified that share permissions are set properly (everyone - full control). I have used the "Effective Access" tab to verify that users in the custom groups do, in fact, have the appropriate levels of access. But unless I assign permission to users individually, they cannot access the folder.

What is happening here? Can anyone help me?

Improve this question

2 Answers 2

Reset to default
5

Have these users logged out and back into their computers since you added them to the new groups?

When a user logs into their workstation they are granted a ticket granting ticket (TGT) by the authentication domain controller. That TGT contains information about their group membership (SIDs) and doesn't expire for some time. Your computer uses this TGT to request access to network resources.

Your TGT naturally contains your account SID, which is why adding users individually works. But the new group SIDs are probably not a part of anyone's TGT yet.

You need to log off and back on to the local computer in order to request a new TGT from your domain controller whenever the user's group membership changes.

Improve this answer
2
  • Yes, all users have restarted numerous times and it hasn't resolved the problem...though, it occurs to me that I have not rebooted the new file server since creating the new groups.
    – Dorian DeLuca
    Commented May 29, 2015 at 13:33
  • I confirm this is correct. I encountered the same issue.
    – Overmind
    Commented Sep 25, 2017 at 7:40
0

I recently experienced the same problem and found this solution:

Edit the registry, look for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and add a DWORD called LocalAccountTokenFilterPolicywith the value of 1.

No need to reboot. It worked for me with folder permissions and AppLocker.

Source Here

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .