Group nesting troubles

B

barkley bees

Hi folks, I'm having a bit a problem with some group nesting issues and I
hope some of you might be able to point out the errors of me ways. Please
see the problem below:

A user cannot access a folder on a file server. This folder has NTFS modify
access permission set for "Group C".
The user is a member of "Group A" which is nested in "Group B" which is in
turn nested in "Group C".

Folder Resource -> Group C -> Group B -> Group A -> User

Native mode 2003 domain
Group A (Universal Distribution)
Group B (Universal Security Group)
Group C (Universal Security Group)

If the user is added directly to the folder resource he can access the
folder so I am wondering if this a nesting issue (access token limitation)
or an issue with Security/Distribution? Very much appreciate any help or
pointers. Thank you.
 
P

Paul Bergson [MVP-DS]

Try creating Group A as a Security Group and mail enable it, I'm not 100%
sure this is your problem but distribution groups don't have sid's assigned
to them, but mail enabled security groups should.

http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Joe Kaplan

Actually, they do have SIDs, but SIDs for distribution groups are not
included in the token. It is a minor technical difference, but I wanted to
point it out.

The problem is as Paul said. Group A needs the security bit set.

Joe K.
 
B

barkley bees

Thanks to you both Paul and Joe! I will take a look at it and test it out in
the morning. Cheers.
 
P

Paul Bergson [MVP-DS]

I didn't realize that, thanks for pointing out the difference.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

NetUserGetLocalGroups in multi-domain AD environment 2
Bulk group membership removal. 6
Universal group Win2k AD and Exchange 2000 ?? 3
Universal groups scope with trusted domains. 5
adding user to group for additional file access takes forever 1
Can i use the Group Domainadmins for two Domains? 1
Cross-Domain question (Parent - Child) 11
users from child in parent (w2k) 1

Top