Re: Changes to folder permissions not taking effect on Server 2008
- From: "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx>
- Date: Mon, 1 Dec 2008 21:50:34 -0800
What you're seeing is the expected behavior.
When a user logs on, Windows creates a SID (security identifier) that contains a list of the security groups the user belongs to at that particular moment. Each time that user accesses a resource, the resource compares its own access list to the user's SID to check what permissions that user has. If you subsequently change that user's group membership, there's no way for an access control list to know this. The SID gets updated only when the user next logs on.
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
Protect Your Windows Network: http://www.amazon.com/dp/0321336437
"wasim" <wasim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:000B37E6-05D4-44E5-822D-EA40F16451C4@xxxxxxxxxxxxxxxx
I am also having same kind of problem in win2003 server. added 2 users to a
group, applied permissions under share tab as full access, and under security
added group with read, execute rights, but it doesn't apply unless I resatrt
client(xp sp2)
don't know what can be the solution.
"schnell" wrote:
We have a new 2008 Server setup to replace an Apple OSX server. Our first
Windows file server in years so bear with me.
I have a share created and gave read access to the department using it. The
Data folder below that gives the department R/W access to everything. There
are only 2 special access folders, on which I turned off 'Include Inherited
Permissions from this objects parent' and removed the department from the
list. Then I added an Active Directory group and gave them R/W.
At this point my test account could browse the whole Data structure, but not
see the special access folders. Good. Then I added my test account to that AD
group to verify access. But it doesn't work - I couldn't get in. I needed to
log off the client machine (disconnecting and reconnecting the share didn't
help), and upon logging back in and reconnecting to the share I could see the
secured folders. Removing the test user from the AD group had the same
problem. I could access the folder for hours after, until I tried logging in
and out to 'fix' the problem.
I tried gpupdate on client and server to no avail. And the Effective
Permissions tab shows the expected rights, but the client doesn't seem to
care. Seems weird to have to log off of the client for security on the server
to take affect.
Server is 2008 SP1, client is XP Pro SP2.
What am I missing?
J
.
- References:
- Prev by Date: Re: Security (Keep the admin out of the workstation)
- Next by Date: Re: Security (Keep the admin out of the workstation)
- Previous by thread: RE: Changes to folder permissions not taking effect on Server 2008
- Next by thread: Re: Can Malware Automatically Startup in Safe Mode?
- Index(es):
Relevant Pages
|
