none
Regarding Security Permissions not applying for copied AD Users

    Question

  • Hello everyone

    I am having a windows server 2008  Domain Controller in that we have created some User accounts.  recently I have created few user accounts by coping the existing user accounts for new hires. now the problem is the existing users  permissions are not matching with the copied user accounts. can you please help me in resolving this issue.

    Thanks

    Arvind Chormalle


    Thursday, July 16, 2015 2:29 PM

Answers

All replies

  • Since we do not know what permissions are "not matching" it is quite
    hard to assist further :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 16, 2015 3:26 PM
  • Hi,

    are the groups membership matching?


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 16, 2015 3:35 PM
  • HI Martin thank you for your reply

    Shared Permissions and NTFS Permissions are not matching for the copied user.

    Thanks

    Arvind CHromalle

    Thursday, July 16, 2015 3:37 PM
  • When you copy an user you copy groups membership and other common attributes. The new object will have the same security as the original.

    If you have permissions assigned to folder C:\share for user A and you copy user A to user B, do not expect user B will have the same permission on c:\share 


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti


    • Edited by aperelli Thursday, July 16, 2015 3:51 PM
    • Proposed as answer by Alex LvModerator Tuesday, July 21, 2015 3:21 AM
    Thursday, July 16, 2015 3:51 PM
  • yes the group members permissions are matching sir

    thanks

    Arvind CHormalle

    Thursday, July 16, 2015 4:31 PM
  • yes that's the main problem sir

    could please help me regarding this

    Thursday, July 16, 2015 4:34 PM
  • > If you have permissions assigned to folder C:\share for user A and you
    > copy user A to user B, do not expect user B will have the same
    > permission on c:\share
     
    There's no easy solution to that. If you use user accounts in your
    permissions, you have some work now. If you had used groups instead, it
    would be working right now.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 16, 2015 4:39 PM
  • Sir these all users in one 'OU' and before it was working fine.

    Thursday, July 16, 2015 4:41 PM
  • My Shared Folders are in D:\Share\DashBoard.

    before it was working fine but since from 6-7 day's this issue is happening.

    Thursday, July 16, 2015 4:55 PM
  • you need to add the ACL manually, copying the users in AD won't do that. As it has pointed out you should use groups to grant permissions on folders

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 16, 2015 4:58 PM
  • yes your are right sirfor example: we have an ou called ABC in that we have created a group and added the users into that group and that group contains the all permissions and we are coping that group's member account to create the new user account. but its not working.

    thanks

    Arvind Chormalle

    Thursday, July 16, 2015 5:09 PM
  • That's strange if the group has the permissions on the folder and the new user is member of that group it has to have the permissions of the group, unless it's also member of a group who has access explicitly denied

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 16, 2015 5:12 PM
  • I also checked inn the user accounts properties the users are having the same groups and in Member of selection
    Thursday, July 16, 2015 5:15 PM
  • how do we add the ACL Manually ...?

    Thursday, July 16, 2015 6:08 PM
  • to the share? Security tab of the folder and sharing tab, add the users, but you said that they are part of a group which has the permissions already, so it's a bit confusing, just try with a single user and see what happens.

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 16, 2015 7:58 PM
  • yes that the user account is the part of that group. when I add same user account by manually (IN Security Tab Of the Shared folder) its Works.
    Thursday, July 16, 2015 8:01 PM
  • you might have some replica issue, try a dcdiag

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 16, 2015 8:13 PM
  • let me try thank you sir.
    Thursday, July 16, 2015 8:15 PM
  • ok, please don't call me sir :)

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 16, 2015 8:23 PM
  • okay Sorry :)
    Thursday, July 16, 2015 8:28 PM
  • Hi APerelli i have tried by using this Command but its not working could you please suggest me if any other hint.

    thanks

    Arvind Chormalle

    Friday, July 17, 2015 4:44 AM
  • "dcdiag" on the DC is not working?

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Friday, July 17, 2015 7:33 AM
  • Hi Arvind,

    Does you saw any error when "dcdiag" not work? We can use that tool to diagnostics the DC potential issue, it make the potential issue more easy to troubleshoot, most times we can use it to locate the issue point, more details please refer the following KB:

    Domain Controller Diagnostics Tool (dcdiag.exe)

    https://technet.microsoft.com/en-us/library/Cc776854(v=WS.10).aspx

    Best Regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Tuesday, July 21, 2015 5:46 AM
    Moderator
  • Hi

    what answer  i am looking for is i have some existing user in a group and the user and group have the permission for a folder recently our organization was hired few employees so their permission should match with the existing users when we create those account by coping the existing user account but unfortunately  the permission are not matching  with existing user account with whom account we cpied to creating these user account. please help me out.

    Thanks

    Wednesday, July 22, 2015 2:16 PM
  • 1. We said already that the account are members of the same groups and that folder permission are assigned to these groups. Correct?

    2. Before the permissions apply the user should logoff and logon, but I believe they did. Correct?

    You might have replica issues, that's why I asked to run dcdiag.


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, July 22, 2015 2:25 PM
  • Hi Arvind,

    What is the error message new users get when they access shared folder? Does old users also get same error message?

    -Umesh.S.K


    Wednesday, July 22, 2015 2:29 PM
  • okay

    Thanks

    Wednesday, July 22, 2015 2:29 PM
  • Hi Umesh

    i am getting this error while accessing the shared folder

    Windows Cannot Access \\Pc\Share\Folder

    thanks

    Wednesday, July 22, 2015 2:38 PM
  • Hi Arvind,

    Please post complete error message or screenshot. Does  this error appears for all users in the group? or only for new users (who are members of same group)?

    -Umesh.S.K

    Wednesday, July 22, 2015 2:40 PM
  • Do not mark as answered untill issue is resolved :)
    Wednesday, July 22, 2015 2:42 PM

  • Wednesday, July 22, 2015 2:45 PM
  • this is the error which i am getting while accessing the shaed folder and all the users are in the same group

    Wednesday, July 22, 2015 2:46 PM
  • if run "wnoami /all" do you see all the groups the user is supposed to belong to? Does it have additional groups which maybe are denied access to that? Again, you should check for replica issue with dcdiag on the domain controller.

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, July 22, 2015 2:58 PM
  • i ran the dcdiag cammand and i havn't seen any Replication error all the replication process is working fine

    what next?

    thanks

    Wednesday, July 22, 2015 4:59 PM
  • if run "wnoami /all" do you see all the groups the user is supposed to belong to? Does it have additional groups which maybe are denied access to that? 

    Also, purge the kerberos tickets and reboot (possibly on the server as well)

    You can use this script:

    https://gallery.technet.microsoft.com/Purge-All-Kerberos-Tickets-13e5abfb

    or kilist:

    https://technet.microsoft.com/en-us/library/hh134826.aspx


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, July 22, 2015 8:39 PM
  • Hi Arvind,

    There could be various reasons for this error. However, can you perform these testing and let us know the result?

    1) telnet arvind-pc 445. Does it connect?

    2) Please follow the steps given in this link

    http://answers.microsoft.com/en-us/windows/forum/windows_7-security/getting-access-is-denied-when-accessing-windows-7/23369f35-bc45-4147-9c3e-74a47d530757?auth=1

    3) When you enter \\arvind-pc\ , is the shared folder visible?

    4) I guess this is your pc. Are you trying to access this share from the same machine? or from network?

    -Umesh.S.K

    Thursday, July 23, 2015 7:52 AM
  • Check also the "Access this computer from the network" security settings

    https://technet.microsoft.com/en-us/library/cc740196%28v=ws.10%29.aspx


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Thursday, July 23, 2015 7:55 AM
  • > what answer  i am looking for is i have some existing user in a group
    > and the user and group have the permission for a folder recently our
     
    [Offtopic] punctuation and line breaks help to make questions more
    readable [/Offtopic]
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 23, 2015 9:08 AM
  • Hi Arvind,

    Did you perform the test I asked you to do? Were you able to fix the issue?

    -Umesh.S.K

    Friday, July 24, 2015 7:31 AM
  • Hi Umesh

    thank you for reply again. I had  fixed this issue by re generating the security permissions to that folderand i also recreated the security group.

    thanks

    Arvind Chormalle


    Monday, July 27, 2015 7:48 PM
  • Good to hear you solved the issue :)

    - Umesh.S.K

    Tuesday, July 28, 2015 6:54 AM