0

I just had an issue where users were directly added to the ACL of a folder. I created a group, added them to the group, added the group to the ACL of the folder and then removed the users and pressed apply. 18 of about 20 users were unaffected, but for some reason two users were denied access. I check the effective permissions tab and they were there. I added both users explicitly again. One of them still had an issue. I double checked offline files, but the data was not cached. I then had the other user restart their PC and the problem seemed to resolve itself after that. I have always seen permissions apply pretty much in real time. My questions are:

Why would this happen, especially since they were denied permission right away?
When does a user account authenticate?

Philosophene
  • 202
  • 1
  • 12
  • 4
    `added them to the group` - This seems like the source of your problem. Group memberships are evaluated when a person authenticates to the domain or computer. After that, they are cached for a long time. – Zoredache Jun 18 '14 at 00:15
  • 3
    These aren't the nitty, gritty details but should give you the gist: NTFS permissions granted to a group are evaluated based on membership in the group. A user's group membership is contained in their access token, which is created at logon. If the user didn't log out and back in, thereby getting the new group membership in their access token, then they would be denied access to the folder. A user account "authenticates" to a resource when he or she accesses that resource. The users access token, on the other hand (containing their group membership), is created at login. – joeqwerty Jun 18 '14 at 00:58
  • 1
    Please, post your answers in the answer section so I can mark this as answered and get you your credit. – Philosophene Jun 18 '14 at 15:06

0 Answers0