3

I have two domains, PRIMARY and EXTERNAL. EXTERNAL has a one-way outgoing trust to PRIMARY so that PRIMARY's users can authenticate in EXTERNAL. Both domains have Windows Server 2008 DCs running at the Windows Server 2003 compatibility level. PRIMARY users are generally stripped of their authentication privileges in EXTERNAL (including PRIMARY domain admins) but the few users with explicit access get the authentication privileges granted.

The EXTERNAL domain controller has a share called Projects on which everyone has full access. The folder is then locked down with ACLs to only allow a few of EXTERNAL's administrative groups. A few levels down in this folder hierarchy, there is a folder where a user (TESTUSER) in PRIMARY is given modify access. The UNC folder path to this folder is \\EXTERNAL-DC\Projects\A\B\C\Target.

When PRIMARY\TESTUSER is logged into a PRIMARY domain-mapped computer with Windows 7, trying to go directly to the path does not work. ("[unc path][new line]The specified path does not exist. Check the path, and then try again.") However, mapping the folder with the exact same path as a drive works, and the appropriate privileges apply (files can be created, etc).

What can I do to enable the UNC path to work? What causes the discrepancy?

Jesper
  • 115
  • 1
  • 2
  • 12

1 Answers1

3

I presume you map the drive to the entire path. (E.g "net use X: \....\Target") ?

The UNC doesn't work because the users need read-access to each folder in the UNC path in order to traverse the path.

Mapping to the end-point doesn't require this. (The access-rights on the parent folders are not evaluated in this case. Only the folder(s) that the user actually "sees".)

Weird ? Yes, but that is the way Microsoft designed this.

Tonny
  • 6,252
  • 1
  • 17
  • 31
  • Do "inherited permissions" count, or do you still have to set permissions for each directory level specifically? – Robert Harvey Sep 09 '20 at 22:26
  • @RobertHarvey How the permission was issued (explicit or inherited) makes no difference to the functionality. Small amendment to what I wrote in the answer years ago. Read access works, but can be too much: User needs "list" (also known as "traverse" access) as a minimum on each folder in the path. (This acts more or less like the X bit in Unix permissions.) Another thing I like to add: If you need this kind of complexity it is maybe time for a rethink/redesign on the share/folder structure. (And I realize that due to business constraints or technical debt this isn't always feasible.) – Tonny Sep 10 '20 at 06:26