Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Yes, the users needs either to logon/off in order to get a new Kerberos
ticket with the new group membership in it. Or they need to wait until the
ticket gets renewed which is not an option in this case....
If you don't want to have the user logon/off you can force a ticket renewal
with Reskit tools.
Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------
"c5" <cubafive@yahoo.com> wrote in message
news:1103745121.822248.278860@f14g2000cwb.googlegroups.com...
> Jimmy Andersson [MVP] wrote:
>> Are they members of any other groups with access denied?
>> The reason that you can add them individually is because they get
> explicit
>> permissions.
>
> Hey, very good question. The answer is No.
>
> And you are right, they get explicit permissions, and you hit upon the
> "sum of permissions" as members of other groups. Which sort of had
> something to do with this...
>
> But I think the problem was that the user was "logged on" (via a
> network share; the user would show up in Sessions).
>
> When a User is logged on, changing explicit permissions happen right
> away, i.e. I (Administrator) click "Apply" to folder permissions and
> the user indeed has those permissions next access.
>
> However, when a User is logged on, adding/removing a User to/from a
> Group and (I think, there are many permutations to test) changing Group
> permissions the results are like they are "cached", i.e. the User must
> log off and then log on for the permissions to be as expected.
>
> So, I would add a user to a group, change the group to full access, and
> because the User was logged on it looked like it did not work. But I
> think (I still have more testing) it works as expected when the user
> logs off/on.
>