0

I've been trying to search for others having this same problem on Google, but I'm not sure how to describe it. We have a user who does not have access to a file even though she has permission on it. However, she does have access to other files which she doesn't have permission on. The commonality between all these other files is that another user has access to them. In short, the file server is treating User A as if she was actually User B. We tested this theory by giving User B permission to view the file for User A, and it worked, but the contents of the file are only for User A and the HR Department to see so we put it back the way it was.

I checked Effective Permissions and group memberships, but found no explanation there. Tried deleting permissions and recreating on an individual file, but there was no change in behavior. I'm stumped with no idea what to try next.

EDIT1: I did a bit more testing today.

The first test involved logging in as User A and creating a text file on the server. I then turned off permission inheritance and removed all inherited permissions. I gave User A and Administrator full control of the file. User A could not open the file. I went back in to Security and gave User B full control of the file. User A was then able to open the file. This gave no additional insight into the problem, but confirmed my suspicions.

I started to get suspicious of User A's computer itself and wondered what would happen if User A logged into a different computer. We tried this and discovered that User A no longer had access to User B's files, and did have access to User A's own files. Although I still don't know what is causing the problem, it appears to be specific to the computer, and the solution seems to be that I need to delete User A's profile and rebuild it. I'll report back later in the week.

EDIT2: The problem reoccurred a few days after I rebuilt the profile. I swapped the computer for a different one and waited a week. The problem did not occur on the loaner machine, so I am now reformatting the problematic computer.

Scott
  • 1,173
  • 3
  • 13
  • 25
  • Is it possible this is related to the NTFS permission inheritance problem? http://serverfault.com/questions/31709/how-to-workaround-the-ntfs-move-copy-design-flaw – Kenny Rasschaert Apr 01 '11 at 23:03
  • No, the folders and files were created exactly where they reside. – Scott Apr 05 '11 at 22:42

2 Answers2

0

Have you checked the "Effective Permissions" tab, under Security -> Advanced?

If "Effective Permissions" thinks the user should have rights to view the files, then you can rule out anything crazy going on with mistaken account identity, and start looking for the usual suspects:

Most likely you've got a misplaced group membership on the user who's got extra rights, or a misplaced group added to permissions on the files. Check for implicit groups in the file permissions like "Everyone" and "Authenticated Users", too.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • I should have mentioned, I did check that right away. According to Effective Permissions, the user should not have rights to view the files. I checked group memberships anyway but found no explanation there. – Scott Apr 04 '11 at 21:13
  • @Scott How about the implicit groups? "Everyone", "Authenticated Users", "Pre-Windows 2000 Compatible Access", etc. If there's none of those, try blocking inheritance on the file and setting up the bare-minimum rights needed. – Shane Madden Apr 05 '11 at 00:30
  • We don't use the implicit groups, so that's not it. The files are not inheriting any rights; everything is being done directly on the files themselves. – Scott Apr 05 '11 at 22:30
0

It was determined that the problem was with the user profile. Renaming the profile folder to %username%-backup and relogging to rebuild the profile solved the problem. I was then able to copy the documents, favorites, and e-mail archive to the rebuilt profile.

EDIT1: This only fixed the problem temporarily. After a few days it was broken again. I replaced the computer with a loaner machine and waited a week; the problem did not occur on the loaner machine. I am now reformatting the problematic computer.

Scott
  • 1,173
  • 3
  • 13
  • 25