Groups Permissions; creating a new group & adding full access does not appear to work

C

cubafive

I want to secure a folder to have full access only to a few users.

I create a group, say "FooUsers", and add users to it.

I add this new group to the permissions of a folder with full access.

However, the members of "FooUsers" still do not have full access!?!?!?

If I individually add each user (of "FooUsers") to have fulll access of
that folder it works.

What gives? What am I missing???
 
J

Jimmy Andersson [MVP]

Are they members of any other groups with access denied?
The reason that you can add them individually is because they get explicit
permissions.

Regards,
/Jimmy
 
C

c5

Jimmy said:
Are they members of any other groups with access denied?
The reason that you can add them individually is because they get explicit
permissions.
Click to expand...

Hey, very good question. The answer is No.

And you are right, they get explicit permissions, and you hit upon the
"sum of permissions" as members of other groups. Which sort of had
something to do with this...

But I think the problem was that the user was "logged on" (via a
network share; the user would show up in Sessions).

When a User is logged on, changing explicit permissions happen right
away, i.e. I (Administrator) click "Apply" to folder permissions and
the user indeed has those permissions next access.

However, when a User is logged on, adding/removing a User to/from a
Group and (I think, there are many permutations to test) changing Group
permissions the results are like they are "cached", i.e. the User must
log off and then log on for the permissions to be as expected.

So, I would add a user to a group, change the group to full access, and
because the User was logged on it looked like it did not work. But I
think (I still have more testing) it works as expected when the user
logs off/on.
 
J

Jimmy Andersson [MVP]

Yes, the users needs either to logon/off in order to get a new Kerberos
ticket with the new group membership in it. Or they need to wait until the
ticket gets renewed which is not an option in this case....
If you don't want to have the user logon/off you can force a ticket renewal
with Reskit tools.

Regards,
/Jimmy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Creating groups and permissions 1
Adding a group to a group 2
AD Permissions 1
Local Profile Permissions 4
Simple Active Directory Directory Sharing Problem 1
USERS group and NTFS permissions 1
Permissions "lost" on file.. how? 1
adding user to group for additional file access takes forever 1

Top