none
Server 2008 R2 Share RRS feed

  • Question

  • OK, this is an odd one but someone one may have come across it.

    We have a fileshare on 2008 R2 whic has 1 single fileshare on it and was working fine untile a reboot, the permissions all look ok on the Share and NTFS, it doesnt have Enumeration enabled, both client (windows 7) and server (2008 r2) have had a considerable amount of updates and restarted a number of times, i i use a domain admin account i can connect without issue but if it uses an account which is part of a domain group assigned to thh folder permissions they get "ACCESS DENIED".

    Any assistance would be great.

    Cheers guys.

    Nate

    Thursday, January 16, 2020 12:41 PM

All replies

  • forgot to say that these are mapped using group policy
    Thursday, January 16, 2020 12:45 PM
  • Have the "bad user" open a command prompt on the client and run "net view \\yourfileservername". Does it show all of the shares on the server? Check the security eventlog on the file server to see if there are any errors when the user tries to connect.   

    On the server use the effective access tab to verify that the user has access. 

    Thursday, January 16, 2020 1:59 PM
  • yeah, all checked and permissions are correct, there are no events showing that are of any use even with auditing turned on.

    Netstat -an shows an established connection but when anyone not in the domain admin group uses the share its access denied. permissions are the same on another share but does not work.

    cheers

    Nate


    Thursday, January 16, 2020 2:31 PM
  • Netstat only shows TCP socket connections. It does not show if the user has successfully authenticated. Run "net session" instead. Do you see the users ID?

    On the server, create a folder C:\Temp\Test. On the test folder uncheck inherit file permissions. Remove all permissions and add "everyone:full". Then right click test, properties, sharing, advanced sharing. Create a share named test and set the share permissions to  "everyone:full".

    On the client, open a command prompt and run  "net view \\yourfileservername". Does it display all of the shares on the server including the new test share?

    Then have the user use the explorer to copy a file to \\yourfileservername\test. 

    That will verify that SMB and user authentication works. 


    • Edited by MotoX80 Thursday, January 16, 2020 4:04 PM
    Thursday, January 16, 2020 3:59 PM
  • Hi Nate,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                   

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, January 20, 2020 2:27 AM
  • Netstat only shows TCP socket connections. It does not show if the user has successfully authenticated. Run "net session" instead. Do you see the users ID?

    On the server, create a folder C:\Temp\Test. On the test folder uncheck inherit file permissions. Remove all permissions and add "everyone:full". Then right click test, properties, sharing, advanced sharing. Create a share named test and set the share permissions to  "everyone:full".

    On the client, open a command prompt and run  "net view \\yourfileservername". Does it display all of the shares on the server including the new test share?

    Then have the user use the explorer to copy a file to \\yourfileservername\test. 

    That will verify that SMB and user authentication works. 


    Hi sorry for the late reply, the SMB share works as the Domain admins connects without any issues on the current share, i have copied the virtual hard disk to anothe server and the same occurs.

    The thing that is odd is that i have another folder on the same server that has the same permissions that is fine.

    Tuesday, January 21, 2020 9:23 AM
  • Hi sorry for the late reply, the SMB share works as the Domain admins connects without any issues on the current share, i have copied the virtual hard disk to anothe server and the same occurs.


    You did not do what I asked you to do. 

    The thing that is odd is that i have another folder on the same server that has the same permissions that is fine.

    Run this Powershell script and compare the share/file security on your shares.

    # Script: SharePermissions.ps1
    # Author: Dave K.  aka MotoX80
    # Analyze user share permissions.
    $shares = get-smbshare | where-object { ($_.Name -NE 'IPC$') -and ($_.Name -NE 'Print$')  -and ($_.Name -NE 'C$') -and ($_.Name -NE 'Admin$') } 
    foreach ($share in $shares)  {
        '--------------------'
        "---    {0}" -f $share.name 
        '--------------------'
        ''
        'Share permissions.'
        Get-SmbShareAccess -inputobject $share 
       
        ''
        "Folder name and permissions." 
        '' 
        $share.Path   
        Get-Acl -path $share.Path  | select-object -ExpandProperty access |  format-table -Property IdentityReference, AccessControlType, FileSystemRights, IsInherited   
    }
        


    Tuesday, January 21, 2020 2:26 PM
  • Hi ,

    Did you have any updates on this question?

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, January 24, 2020 5:57 AM