Re: Windows domain user is sometimes denied access to server share

Weird. Since the security log does not show any related logon failures on
the server then it would not appear to be a problem with wrong credentials
being sent for some reason. It would be good to verify if the user has the
same problem from any domain computer or just a particular one.

Steve


"Henrik Sjöström" <henrik_the_boss@xxxxxxxxxxx> wrote in message
news:OzaoMRw5GHA.668@xxxxxxxxxxxxxxxxxxxxxxx
TCP/IP is assigned by DHCP and ip settings on the client are no different
from anyone else.
I did double check the DHCP config but there ware no "dead" DNS servers
nor dead WINS Servers.
"ipconfig /all" on the client also looks normal / good.

Apart from the known bug of Kerberos ticket, netdiag passed all checks
(apart from the also known warning of one or more WINS setting missing)

Neither server nor client show any failures in any logs, although methinks
the things logged on the server needs to be increased a wee bit, since the
security log is IMHO a bit more empty than it should be.



"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uEfzdno5GHA.508@xxxxxxxxxxxxxxxxxxxxxxx
Since a reboot clears it I would think it is possibly networking related
such as improper DNS configuration on the computer he is using assuming
this happens on just his computer. Verify that his computer is using ONLY
domain controllers as the primary/secondary DNS servers as shown in
tcp/ip properties. I would also run the support tool netdiag on that
computer looking for any related errors and check the application log for
any userenv errors/warnings that can also indicate a problem finding or
contacting a domain controller. I would also check the server with the
share security log for logon failures that occur when he is denied access
to see they can provide any clues.

Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
Active Directory DNS FAQ


"Henrik Sjöström" <henrik_the_boss@xxxxxxxxxxx> wrote in message
news:uaAerIg5GHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
Hello all.

We have a user that is randomly denied access to the company's file
server's shares.
He can access the shares that do not have security on them OK, but not
the ones that have security on them (security that his accounts is part
of / qualifies for)
He just get a "access denied". (He is running Win XP w SP 2 and full
HFs, and the server is a Win 2K3 w SP1 and full HFs)

This is the case when he tries to access his private share in the form
of USER$, as well as a couple of shares where access is restricted
either with windows user and or windows group accounts.
He does have at least modify permissions on the shares (in the case of
his private file area, he has full control). The permissions are set OK
both on the shares themselves as well as folder security.

When this occurs, we do not see anything wrong either on his computer or
on the server.
It does not help to disconnect the share, or accessing it by
\\FILESRV\USER$.
A reboot generally clears away the error, and he once again has access.

Since shares that allow everyone access works OK, my hunch is that his
profile is somehow broken, and that the hash that windows sends to the
server when asked to authenticate in order to access the folder is not
correct.

This is not a case of Windows fast logon, where Windows XP logs on
before all group policies have been downloaded, as the domain is small
(about 20 accounts, with no active policy changes in the last 6 months)

Logging onto his computer and deleting his profile so that he has to
start over in the hopes of fixing the problem does not appeal to either
him or me.
Note that Norton Internet Security 2006 is installed on the system, and
that this error occurs even though all of Norton's subsystems are
disabled.
No one else have had any problems, so we can probably rule out the
server, right?

Any thoughts?


// Henrik







.

Relevant Pages

  • Re: Windows domain user is sometimes denied access to server share
    ... I would also check the server with the share security log ... He can access the shares that do not have security on them OK, ... with windows user and or windows group accounts. ...
    (microsoft.public.windows.server.security)
  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)