locked
Shared Folder NTFS Permission Issue on VPN Connection RRS feed

  • Question

  • Our client company has remote users to access the company shared folders via PPTP VPN connection. We recently found that all remote VPN users have full access to all shared folders regardless what NTFS permissions restricted on the shared folder. But if the VPN users brought in their laptop to the office, they restricted to access only the shared folders they has been allowed.

    Our client's current domain setup environment as below:

    1 x Domain controller > running windows 2012 installed server roles: DC, DNS, DHCP, RRAS for PPTP VPN,

    1 x File Server > running windows 2012 and joined to the domain

    couple of windows 2003 and 2008r2 servers running as application servers and TS servers.

    Forest and domain functional level is Windows Server 2003

    Does anyone experienced similar issue? Any suggestion is welcome!

    Wednesday, August 19, 2015 12:11 AM

Answers

  • Hi,

    There is a known issue that it is using the credential users input in VPN to access the folder instead of using the logon account. So please check if the account for logon VPN does have the permission to access these folders.

    You can test to perform these steps to use the logon account for accessing shared folders:

    1. Locate the .pbk file. This file should be in C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbk

    2. Open the file in Notepad.

    3. Locate the following entry: UseRasCredentials=1

    4. Modify the entry to the following: UseRasCredentials=0

    5. On the File menu, click Save, and the click Exit.

    If it will not work, try the workaround mentioned in this thread:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c22ef308-5ec5-4667-a6ac-d2c3b5c20ef8/2008-r2-sstp-vpn-clients-assume-vpn-servers-domain-instead-of-desktop-session-domain?forum=winserverNAP



    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 20, 2015 4:48 AM
  • Thanks for your reply. I finally figure out what was the issue.

    Each VPN user's Laptop actually had cached domain admin login credential. I manually removed this credential, then shared folder permission worked as expected.

    To clear the cached windows login credential,

    Control Panel\User Accounts\Credential Manager\Windows Credentials\

    Then delete the cached account you want.

    • Marked as answer by Felixjiabo Tuesday, August 25, 2015 6:44 AM
    Tuesday, August 25, 2015 6:44 AM

All replies

  • Hi,

    There is a known issue that it is using the credential users input in VPN to access the folder instead of using the logon account. So please check if the account for logon VPN does have the permission to access these folders.

    You can test to perform these steps to use the logon account for accessing shared folders:

    1. Locate the .pbk file. This file should be in C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbk

    2. Open the file in Notepad.

    3. Locate the following entry: UseRasCredentials=1

    4. Modify the entry to the following: UseRasCredentials=0

    5. On the File menu, click Save, and the click Exit.

    If it will not work, try the workaround mentioned in this thread:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/c22ef308-5ec5-4667-a6ac-d2c3b5c20ef8/2008-r2-sstp-vpn-clients-assume-vpn-servers-domain-instead-of-desktop-session-domain?forum=winserverNAP



    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 20, 2015 4:48 AM
  • Thanks for your reply. I finally figure out what was the issue.

    Each VPN user's Laptop actually had cached domain admin login credential. I manually removed this credential, then shared folder permission worked as expected.

    To clear the cached windows login credential,

    Control Panel\User Accounts\Credential Manager\Windows Credentials\

    Then delete the cached account you want.

    • Marked as answer by Felixjiabo Tuesday, August 25, 2015 6:44 AM
    Tuesday, August 25, 2015 6:44 AM