Groups Permissions; creating a new group & adding full acc..

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I want to secure a folder to have full access only to a few users.

I create a group, say "FooUsers", and add users to it.

I add this new group to the permissions of a folder with full access.

However, the members of "FooUsers" still do not have full access!?!?!?

If I individually add each user (of "FooUsers") to have fulll access of
that folder it works.

What gives? What am I missing???

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Jimmy Andersson [MVP] wrote:
> Are they members of any other groups with access denied?
> The reason that you can add them individually is because they get
explicit
> permissions.

Hey, very good question. The answer is No.

And you are right, they get explicit permissions, and you hit upon the
"sum of permissions" as members of other groups. Which sort of had
something to do with this...

But I think the problem was that the user was "logged on" (via a
network share; the user would show up in Sessions).

When a User is logged on, changing explicit permissions happen right
away, i.e. I (Administrator) click "Apply" to folder permissions and
the user indeed has those permissions next access.

However, when a User is logged on, adding/removing a User to/from a
Group and (I think, there are many permutations to test) changing Group
permissions the results are like they are "cached", i.e. the User must
log off and then log on for the permissions to be as expected.

So, I would add a user to a group, change the group to full access, and
because the User was logged on it looked like it did not work. But I
think (I still have more testing) it works as expected when the user
logs off/on.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Are they members of any other groups with access denied?
The reason that you can add them individually is because they get explicit
permissions.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


<cubafive@yahoo.com> wrote in message
news:1103736912.834201.274440@c13g2000cwb.googlegroups.com...
>I want to secure a folder to have full access only to a few users.
>
> I create a group, say "FooUsers", and add users to it.
>
> I add this new group to the permissions of a folder with full access.
>
> However, the members of "FooUsers" still do not have full access!?!?!?
>
> If I individually add each user (of "FooUsers") to have fulll access of
> that folder it works.
>
> What gives? What am I missing???
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes, the users needs either to logon/off in order to get a new Kerberos
ticket with the new group membership in it. Or they need to wait until the
ticket gets renewed which is not an option in this case....
If you don't want to have the user logon/off you can force a ticket renewal
with Reskit tools.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"c5" <cubafive@yahoo.com> wrote in message
news:1103745121.822248.278860@f14g2000cwb.googlegroups.com...
> Jimmy Andersson [MVP] wrote:
>> Are they members of any other groups with access denied?
>> The reason that you can add them individually is because they get
> explicit
>> permissions.
>
> Hey, very good question. The answer is No.
>
> And you are right, they get explicit permissions, and you hit upon the
> "sum of permissions" as members of other groups. Which sort of had
> something to do with this...
>
> But I think the problem was that the user was "logged on" (via a
> network share; the user would show up in Sessions).
>
> When a User is logged on, changing explicit permissions happen right
> away, i.e. I (Administrator) click "Apply" to folder permissions and
> the user indeed has those permissions next access.
>
> However, when a User is logged on, adding/removing a User to/from a
> Group and (I think, there are many permutations to test) changing Group
> permissions the results are like they are "cached", i.e. the User must
> log off and then log on for the permissions to be as expected.
>
> So, I would add a user to a group, change the group to full access, and
> because the User was logged on it looked like it did not work. But I
> think (I still have more testing) it works as expected when the user
> logs off/on.
>