Re: Shared Folder NTFS Permission Problems with Domain Accounts

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C721CD9-6D97-445D-87D5-09C0B7626C00@xxxxxxxxxxxxxxxx
Hello,

I look after a firm which has two DCs and four more servers and I've
recently encountered a problem when I share a folder on one of the four
servers (N.B. I do not have this problem on either of the DCs).

I can share the folder without a problem and then when selecting NTFS
permissions on the folder (not the share, the share permissions are set
for
everyone to have full access) and I select one of the security principals
for
the domain e.g. "domainname\users" I get a message saying name not found.

You cannot use LOCAL groups of the domain on non-DCs unless you are
in (at least) Native mode.

Users is a local group on the domain.

If you change the domain to Native (or Win2003 Server Native) mode then
the Local Groups of the domain become (true) Domain Local groups
automatically
and you can then use these groups on every non-DC (server or workstation) of
the domain -- i.e., they are still 'local' within the domain but now
available throughout
the domain.

IF you cannot do this then you will need to use a Global group of the
domain.

I've made sure that the server is looking within the container for my
domain
and I know it's contacting the DC because I can select security groups
which
I've created I just can't select any of the built-in security principals
for
the domain. I can select local security principals without a problem.

Probably because you kept picking Local built-in groups and your own
groups just happen to be Globals.

Try picking Domain Users or try it with a local group YOU created and
it is likely you will get the reverse effect.

I've tried removing the servers from the domain and re-joining, this
didn't
help. I also tried removing the computer account for one of the servers
and
recreating it and then re-joining but again no luck.

Generally a poor idea today -- as today computer SIDs may be important
(or are starting to be important) -- try to avoid removing computer accounts
from the domain whenever possible.

Any help anyone could offer would be greatly appreciated as I'm stumped.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)


.

Relevant Pages

  • Re: SMS 2003 - adding Secondary site... driving me -mental- :-/
    ... Domain controllers DO have local groups, they just work a little differently ... on DCs than they do on member servers and workstations. ... There is a section of procedures for SMS Account Management near the end. ...
    (microsoft.public.sms.setup)
  • Migrating NTFS Data to Another Server
    ... between servers in a disaster recovery situation. ... At the moment we currently have a number of file servers ... we would restore the lastest ... then into Local Groups and then ...
    (microsoft.public.windows.file_system)
  • Need help on this one. Very unusual. Cannot see Entire Directory when adding permissions
    ... Both servers are W2K3 SP1 servers. ... The DC is RRAS enabled for internet access. ... access on all machines as well as access to domain resources such as shares. ... My only issue is that I need to create local groups on the app server ...
    (microsoft.public.windows.server.general)
  • Re: Domain Local Groups and Member Servers
    ... We do this in our company, we have tens of thousands of domain local groups ... assigned to resources on a couple thousand servers and it works fine. ... line tools have no problem assigning them. ...
    (microsoft.public.windows.server.security)
  • Re: Shared Folder NTFS Permission Problems with Domain Accounts
    ... I just tried sharing the folder using Domain Users and it did indeed work. ... Odd thing was though that the domain was already in Server 2003 native mode. ... You cannot use LOCAL groups of the domain on non-DCs unless you are ...
    (microsoft.public.windows.server.general)