User cannot access file server

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi everyone !

Well, I've got a little problem in my company.

Here's the case:

2 server's running, 1 Domain Controller and 1 is file server. One user can access domain controller but cannot access file server. Says "Access denied" but he has all nessecary rights ?!?! I mean, he is in organizational unit like all other user's but he is the only one who can't access that specific server.


Anyone has solution to my problem ?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Its not, as a general rule, the OU's that grant access rights.

I would check the file permissions on the area hes trying to access, and also the share permissions on the server share to ensure that hes in the correct groups for access.

 

Also check any gpo's that are in force on his account, OU, domain, server in case these are responsible for locking his access down.

 

guess who,

When you say "...cannot access file server" what resource is the user attempting to access?

Is this a Windows 2000 or Windows 2003 domain? Is this a single domain or multiple domain system?

 

OK. I've checked everything and here are the results:

He is in the OU "company" and OU "consultants". These two OU's have permissions to read and execute, read and list folder contents.

There's no any group policy in company because all users have notebooks.

I really dont know where's the problem. All setting's are the same like on all other users.

 

can you look at the folders on the file server at all ie can you get far enough to look at the effective perms for the folders with the access problems?

 

OK, when user for example enter's in run "\\file-server" he should see all shared folders and printers on file server. He gets the "Access denied" message. When he enters "\\file-server\installations", again "Access denied" message.

Other users can access file-server, he canot access it. But they have the same rights.


It's Windows 2003 single domain.

 

just because the users have notebooks, doesnt mean you cant apply a group policy on the domain.

Have you tried logging in as a different user on the machine and trying to access? have you tried getting the user to log into a different machine to access? both these will narrow down if its the computer or the user. You really need to tie that one down to start with. no point looking at the user account if the computer/computer account is whats at fault.

 

Does he mean GROUPS when he writes OU?????

If it is groups then what I'd do is directly assign the folder permissions to the user - then see what happens! If it works then take the user OUT of the groups and remove the user from the security properties of the folder. Log the user off then ADD the user BACK into those groups. Log the user back on and try again!

Just out of interest, did you log the user off and backon when you added him/her to the group in the first instance? Unlike Netware, Windows is loosely consistent!

 

guess who,

Do you know which resource the user is attempting to access if you type "\\file-server?"

Do you know the proper format of a UNC address for a resource?

Questions:

1. What NTFS permissions are applied to his user account?
2. What NTFS permissions are applied to his organizational unit?
3. What NTFS permissions are applied to his group?
4. What Share permissions are applied to his user account?
5. What Share permissions are applied to his organizational unit?
6. What Share permissions are applied to his group?
7. What effective permissions does all that result in?

 

Well, the problem is in computer. When user logs on another computer, he can access file server. When I log, as administrator, on his computer I can't access file server.

I'm such a dumb a$$.. Didn't check that first.

OK, so the problem is obviusly in computer. Now, how can I fix that problem. Can I delete that computer from AD and add it with another name ?

Sorry for stupid questions, I'm one confused MCP.

 

Yes try deleting it from AD and then take the PC off the domain - add it to Workgroup. Then rejoin the PC back to the domain and try again with the user.

How many MCPs do you have? And what are they in? I bet this is all good practice for you whilst studying for the MCSA/MCSE.

 

I've tried that all and still doesnt work. Removed computer from AD, created new computer with diferent name, renamed user's computer and joind it to the domain. Still the sam access denied error.


I've passed 70-270 and 70-290 exams. Two more to go and I'm MCSA. You are right, this is good practice but would be better without it. Because boss and that user are getting angry.

 

I see no one has thought of asking if this guy is a member of any groups that are denied access to these shares. Deny permissions always over ride allow, so if he is a member of a group that is denied read and execute permissions he will not be allowed to access the share.

 

Well, the problem is on just this specific computer. And I cant really try with system restore because problem was there after I've done clean install of Windows.


I will try that 1 with mapping a drive. Thanks !

 

But the problem is not in this guy because he can access server logged from another computer. The problem is in his computer because i cant even access server logged as administrator.

 

To be honest at this point id consider issuing a new laptop and brining this one into the workshop to be looked at?
Perhaps rebuild the laptop?

When you remove the machine from the domain, you should join it to a workgroup (random name) and then delete all trace of it out of AD.

When you add it back into the domain try doing it without first creating a reference in AD, it will prompt for an account that has permission to add to the domain (for reference every single user on the domain can add up to 10 pc's without the need to be an administrator odd but true) see if that makes any difference.

 

Yes I did think of it, but didn't ask as I'd read all posts - especially the one about the guy being able to access the resource from another PC.

Could be that there is a physical network issue here, or perhaps a SID problem. Try the following:

* Plug the PC into another network port and try again. Or
* Sysprep Reseal the machine to force it into regenerating another SID.

Just thoughts off the top of my head really.