|
Posted by Steve Riley [MSFT] on December 2, 2008, 12:50 am
If you were Registered and logged in, you could reply and use other advanced thread options
When a user logs on, Windows creates a SID (security identifier) that
contains a list of the security groups the user belongs to at that
particular moment. Each time that user accesses a resource, the resource
compares its own access list to the user's SID to check what permissions
that user has. If you subsequently change that user's group membership,
there's no way for an access control list to know this. The SID gets updated
only when the user next logs on.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
Protect Your Windows Network: http://www.amazon.com/dp/0321336437
> I am also having same kind of problem in win2003 server. added 2 users to
> a
> group, applied permissions under share tab as full access, and under
> security
> added group with read, execute rights, but it doesn't apply unless I
> resatrt
> client(xp sp2)
>
> don't know what can be the solution.
>
>
>
> "schnell" wrote:
>
>> We have a new 2008 Server setup to replace an Apple OSX server. Our first
>> Windows file server in years so bear with me.
>>
>> I have a share created and gave read access to the department using it.
>> The
>> Data folder below that gives the department R/W access to everything.
>> There
>> are only 2 special access folders, on which I turned off 'Include
>> Inherited
>> Permissions from this objects parent' and removed the department from the
>> list. Then I added an Active Directory group and gave them R/W.
>>
>> At this point my test account could browse the whole Data structure, but
>> not
>> see the special access folders. Good. Then I added my test account to
>> that AD
>> group to verify access. But it doesn't work - I couldn't get in. I needed
>> to
>> log off the client machine (disconnecting and reconnecting the share
>> didn't
>> help), and upon logging back in and reconnecting to the share I could see
>> the
>> secured folders. Removing the test user from the AD group had the same
>> problem. I could access the folder for hours after, until I tried logging
>> in
>> and out to 'fix' the problem.
>>
>> I tried gpupdate on client and server to no avail. And the Effective
>> Permissions tab shows the expected rights, but the client doesn't seem to
>> care. Seems weird to have to log off of the client for security on the
>> server
>> to take affect.
>>
>> Server is 2008 SP1, client is XP Pro SP2.
>>
>> What am I missing?
>>
>>
>> J
| 
XML site map