none
Access denied on a share folder when using a domain security group RRS feed

  • Question

  • Hello,

    I have a simple problem: I can't access to a share folder if i use a domain security group

    When I put directly the same user in the share folder credential , it's working fine.

    Test 1:

    Folder Name: MyFolder

    Credential: My_Domain\My_Group with "full control"

    => My_Domain\My_Group contains My_Domain\My_User

    If I try to access to the folder , i get an "Access Denied" error

    Test 2:

    Folder Name: MyFolder

    Credential: My_Domain\My_User with "full control"

    If I try to access to the folder , it's working fine

    If you have any explanation about this trouble , i will be very happy. 

    Wednesday, October 9, 2019 4:07 PM

All replies

  • Use the effective access tab to see where the access is blocked. Select different users who are members of My_Domain\My_Group. 

    Also check your security eventlog to see if there are any logon errors when the user connects. 

    • Edited by MotoX80 Wednesday, October 9, 2019 5:01 PM
    Wednesday, October 9, 2019 4:59 PM
  • Hi,

    Thanks for posting in our forum!

    I've had this problem before. Please try the following methods.

    1. Add domain users to ACL separately.

    2. UAC is totally prohibited through the registry (2008 R2 version can be completely prohibited through the GUI interface, but 2016 version needs to pass through the registry), and then restart the server.

    The registry path is as follows:

    HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies System enableLUA = 0

    Anything unclear, please feel free to let me know.

    Best Regards,

    Daniel


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 10, 2019 6:14 AM
    Moderator
  • Hello, 

    Thank's for your feedback, here is the detail of my Test:

    Domain: AVMTEST

    Domain security group name: AVMTEST\Convertor_Servers

    Server with share folder: SRV-HOST-01-PP (included in the domain AVMTEST)

    Share Folder name on SRV-HOST-01-PP: ShareFolder on path "D:\AVM Informatique\Shared_Publipost"

    Effectives permissions on physical path "D:\AVM Informatique\Shared_Publipost"

    Effective permission are enough:

    Group "Convertor_Servers" with my user AVMTEST.COM\convsrv.svc

    TEST 1 - ACCESS WITH DOMAIN SECURITY GROUP IN SHARE PERMISSION:

     

    My share folder properties on server "SRV-HOST-01-PP"

    WHen I try to access folder:

    I DON'T HAVE PERMISSION

    TEST 2 - ACCESS WITH DOMAIN USER IN SHARE PERMISSION

    When I try to access to folder, all is working fine:

    Really, I Don't understand WHY ?

    If you have any idea ?

    Regards,

    Thursday, October 10, 2019 2:52 PM
  • Hello,

    First of all, thank's for your feedback.

    When you said : "1 Add domain users to ACL separately" => What does it means ?

    Sorry, but I Don't understand the step 2 !

    You can read my response to Motox80 , with step by step reproduction 

    Regards,

    Yannick

    Thursday, October 10, 2019 2:56 PM
  • Hi,

    Thanks for your reply!

    1. After you add the user to the group, have you logged out and logged in again?

    2. Does all members of this group have no access to this shared folder?

    3. Are you configuring any deny edpermissions for this user?


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 11, 2019 8:09 AM
    Moderator
  • Check the security eventlog for any logon errors when the user tries to connect to the share.
    Friday, October 11, 2019 10:47 AM
  • Hello,

    1. After you add the user to the group, have you logged out and logged in again?

    NO, THE USER IS NOT ABLE TO CONNECT WITH RDP ON THIS SERVER

    2. Does all members of this group have no access to this shared folder?

    YES, IT CAN BE RE-PROPDUCE ON ALL USER MEMBER OF THE GROUP

    3. Are you configuring any deny edpermissions for this user?

    NO DENY PERMISSIONS, ONLY FULL CONTROL on SHARE FOLDER

    Friday, October 11, 2019 1:23 PM
  • Here is the result, for the same user , the result is different for the 2 tests:

    1 - I put user in the securiy group, the put the group in the Folder security

    2 - I put directly the user in the folder security (with the sames rights )

    Audit Security:

    Test 1:

    1 - I put user "AVMTEST\Convsrv.svc" in the securiy group "Convertor_Servers", then I put the group in the Folder security (Full-Control)


    A network share
    object was checked to see whether client can be granted desired access.

    Subject:

    Security
    ID:                AVMTEST\convsrv.svc

    Account
    Name:                convsrv.svc

    Account
    Domain:                AVMTEST

    Logon
    ID:                0x19AE2253B

    Network
    Information:        

    Object
    Type:                File

    Source
    Address:                192.168.0.101

    Source
    Port:                56082

    Share Information:

    Share
    Name:                \\*\ShareFolder

    Share
    Path:                \??\D:\AVM
    Informatique\Shared_Publipost

    Relative
    Target Name:        \

    Access Request
    Information:

    Access
    Mask:                0x100080

    Accesses:                SYNCHRONIZE

    ReadAttributes

    Access Check
    Results:

    SYNCHRONIZE:        Not
    granted

    ReadAttributes:        Not
    granted

    Test 2

    2 - I put directly the user "AVMTEST\Convsrv.svc" in the folder security (with the sames rights : FULLCONTROL)

    A network share
    object was checked to see whether client can be granted desired access.

    Subject:

    Security
    ID:                AVMTEST\convsrv.svc

    Account
    Name:                convsrv.svc

    Account
    Domain:                AVMTEST

    Logon
    ID:                0x19AE2253B

    Network
    Information:        

    Object
    Type:                File

    Source
    Address:                192.168.0.101

    Source
    Port:                56083

    Share Information:

    Share
    Name:                \\*\ShareFolder

    Share
    Path:                \??\D:\AVM
    Informatique\Shared_Publipost

    Relative
    Target Name:        \

    Access Request
    Information:

    Access
    Mask:                0x100080

    Accesses:                SYNCHRONIZE

    ReadAttributes

    Access Check
    Results:

    SYNCHRONIZE:        Granted
    by        D:(A;;FA;;;S-1-5-21-2949748946-874533534-863285228-1149)

    ReadAttributes:        Granted
    by        D:(A;;FA;;;S-1-5-21-2949748946-874533534-863285228-1149)


    Friday, October 11, 2019 2:15 PM
  • Actually,

    The only solution I've found is to:

    - Create a Local Group on the machine hosting the share folder.

    - Add my domain user in the local group

    - Add the local group on the share folder.

    I would like really to use a domain security group, not a local group.

    Regards,

    Friday, October 11, 2019 3:12 PM
  • See https://www.onlinecomputertips.com/support-categories/windows/690-ad-groups

    What is the group scope and group type of AVMTEST\Convertor_Servers? 

    Friday, October 11, 2019 7:23 PM
  • This is a workaround, in addition, you can discuss with AD experts over here:

    AD security forum:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

    Best Regards,

    Daniel


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 14, 2019 1:04 AM
    Moderator