Global security group permissions not propogating
I have a single flat domain that has migrated from NT to 2003 to 2008. A number of the global groups go back to the mid ninties.
I recently purchased a EMC VNXe 3300 for addition storage, joined it to the domain, migrated a bunch of folders with permissions using robocopy no problem.
Now I have one shared folder and the global security permission applied to the top level folder but did not decend the tree. I tried applying it from the advanced security tab and choose apply to this folder and all child objects and folder or some such
verbiage. I could not get that permission on anything below the top level unless I went to the object explictly and applied it.
I created a new global security group and applied it to the folder and it descended the tree with no problems.
I have hundreds of folders and hundreds of groups I need to move to this new storage, I have no idea what is wrong here?
Hi,
Please help collect the current permission setting of the parent folder and a subfolder (which the original global security group cannot be applied with "inheriting").
Meanwhile have a try with icacls instead of GUI to see if it will work. For example:
icacls x:\folder /grant <group>:(OI)(CI)F
If you have any feedback on our support, please send to [email protected]
Similar Messages
-
AD security group memberships not coming over to SP2013.
This seems to have coincided with applying a number of updates to our SharePoint server via Windows Update over the weekend. Since then, changes in AD security groups are not being reflected by the appropriate access in SharePoint. If somebody
has been a member of an AD group prior to this weekend, their access is fine. But changes made today aren't seeming to propagate. Any suggestions?
Thanks!Because SharePoint 2013 is based on claims it is normal for users added to AD groups to not gain the permissions for up to 24 hours because the claims tokens are cached.
http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
GPO Security Group filtering not working
Hello all,
DC: 2008R2 w SP1
Client: W7 SP1
Objective: Disable Removable Storage
I can filter by individual user but not a security group (global). (linked to both users and computers OU). I check and make sure the user (me) belong to the group using the command whoami /groups. I check the Delegation setting and make sure that the security
group has the read and "apply" gpo checked. Also the Authenticated Users group has "read" allow.
Any clues?
ThanksGlad to hear this.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Global security settings do not save
Hello,
I'm using Flash version 10,0,12,36 on a new XP Pro 64bit
system. We are running Flash projects from a network drive which
works just fine on 32bit systems by allowing folder permissions in
the Global Security Settings manager. These settings will not save
on the 64bit version. The only reason I can think of is that the
32bit "program files" directory is called "program files (x86)"
which may not be what the player is looking for when attempting to
save the setting.
Is there a way to fix this?
Thanks,
JasonIt's cause the SP 2 sux, change the security settings and try again, in MSIE you can do this under the Edit or Tools menu.
-
Group Permissions Not Being Respected
After upgrading our file server to 10.4.8, group write permissions (POSIX, not ACLs) are not being respected for users connecting via SMB. If Group X owns a folder, and has Read and Write permissions on that folder, User A can log in via SFTP and modify that file. However, User A can not log in via SMB and modify that same file. When looking at the "Effective Permissions Browser" in WGM, it will correctly show the user and group ownership of a file, but state that User A does not have permissions to modify that file (in spite of User A being in Group X).
Has anyone seen anything like this? Or does anyone have any suggestions? We can't try switching to ACLs to resolve the issue because the files being shared are mounted from a remote NFS server (ACLs are only supported on HFS+ volumes).
Thanks.
Xserve G5 Mac OS X (10.4.8)like so:
drwxrwsr-x 6 jwalcik laitssta 4096 Oct 9 23:13 test
where the folder belongs to the user "jwalcik" and to the group "laitstaff". both are shown as having read, write, and execute status, and the setguid bit is set for the group. other users have read and execute privileges.
Xserve G5 -
ACL group permissions not propagating
I have a group of designers that are connected to X Server running Snow Leopard.
I have placed them in a group, "MarComm"
I have granted everyone full read/write access. ( I can trust them all)
I have tried to propagate these permissions..I saved the changes and restarted server.
For some reason there are 2 sets of permissions.
1) full access (desired configuration)
2) "custom" access
This "custom" access does erratic things..for ex:
Allows the designer to pull off a job folder containing 12 items. He has permission to use 8 items, but not the remaining 4.
Perhaps I need a step by step tutorial on how to create a proper "group" and to propagate permissions. I understand that the ACL should take precedence over the POSIX. I am not well-versed in using the terminal, but I am a careful person, and willing to try it.
Thank you in advanceSetting up groups in WGM is pretty fool proof. What I would try first is to remove all of the ACL's for the folder in question first.
Ensure that all of the files and folders within your folder have ACL's that can be removed. If not, then you'll have to clear the ACL's on each, one at a time.
The command to clear the ACL's from a folder and it's subfile and folders looks like this:
sudo chmod -R -N /path/to/folder
If you want to just remove an ACL from one file or folder, remove the -R from the command.
To write an ACL and have it apply to all folders within looks like this: (two commands, one to add read and one to add write permissions)
sudo chmod -R +a "groupname allow read" /path/to/file/
sudo chmod -R +a "groupname allow write" /path/to/file/
HTH!
-Graham -
Hi Everyone,
does anyone know/encountered the following issue?
While using 'Create Group' activity from AD integration Pack, and creating LST group. By that I get as an outcome - group with default permissions(for LST<<List Access>> - to this folder and subfolders). Does anyone know how can I change this
permissions to - This folder only - upon creation of the group, or right ater it? Is it possible by 'Get Group' or 'Update Group' activities, somehow?
Any suggestions on that, highly appreciated.
Thx.It's not wrong, it is expected behavior and working as designed. Until a user logs into the SharePoint site that is granted access via AD group, the user is not going to show under 'check permissions' as having access. SharePoint must have a record of the
user in the UIL in order to validate their access.
You're free to file an RFC with Microsoft, but the monetary impact to you must be extremely high in order for this behavior to be changed.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Office365 Exchange Security Group not updating in Sharepoint Online
We have created a new Office365 Exchange Security Group that contains several other Exchange Security Groups. This group will not show up in either the SharePoint Web admin or SharePoint Designer views.
How can I force SharePoint to re-synchronize the Office365 Tenant users/groups?Hi,
According to your post, my understanding is that Office365 Exchange Security Group does not updating in Sharepoint Online.
How long did you wait after creating the Group to see if they show up in SharePoint Online? The back-end replication can take some time, even days from my experience.
Here is a similar thread for your reference:
http://community.office365.com/en-us/f/156/t/173994.aspx
More information:
CIAOPS: Using Office 365 security groups with SharePoint Online
Regarding SharePoint Online, for quick and accurate answers to your questions, it is recommended that you initial a new thread in Office 365 forum.
Office 365 forum
http://community.office365.com/en-us/forums/default.aspx
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
User won't add to an AD security group
Hello,
I've been scouring around the last few days and I've come up empty handed with an issue I'm having on a personal domain and I'm hoping someone here can point me in the right direction.
I have a domain controller set up in a lab environment running Server 2012 RU with three computers and three users joined to the domain. I'm currently attempting to apply group policy via AD security groups but I've hit a dead
end. I've created the users and moved them to a nested OU, we'll call it SiteA>Users. I then created a global security group called Control Panel Restriction and placed it in a nested OU in SiteA>Groups, and joined one of the users to the
security group. I then created a group policy and configured it to restrict all access to the control panel and linked it to the SiteA OU. In security filtering I've removed the authenticated users group and added the Control Panel Restriction
group.
The first time the user is joined to a security group it seems to work fine. If I remove the user from the group and run gpupdate /force, the user can once again access the control panel. From that point going forward,
however, it's as if the user is never added to a security group again. I can add the user directly to the security filtering section of the GPO and it works, but it's like security group membership will not update anymore for that user.
Troubleshooting: I've verified the permissions of the security group for the GPO and made sure it has read and apply group policy access, I've created a test user and placed it in the Control Panel Restriction security group
and policy applied successfully (once), so I know the group works. I ran a gpresult /r for the user and found the group policy IS being applied, but it's being denied through security filtering. In the group membership section of the gpresult report
it indicates the user is only a member of the default security groups in AD, not the custom made security group, even though a quick inspection of AD proves otherwise.
Any advice?After you add, or remove, a user from a group, ensure that the changes have replicated/propagated across the DC's (waiting for your replication cycle time is usually enough), then, ensure that the user logs off, and then log the user on again.
The logoff/logon cycle is typically important, since the user's security token is constructed at logon, and the token is constructed based on group memberships at the time of logon.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
I recently installed SharePoint 2013 SP1 and thus far all seems to be going well. I do have one issue concerning permissions to a team site I have created:
1. If add a user User1 only to a SharePoint group that has edit permissions to the site, that user can log in successfully.
2. If add a user User1 only to a security group that is a member of the aforementioned SharePoint group, the user gets "the site has not been shared with you. The security group is a global SG, though I tried changing it to universal
but that did not help
I have tried updating the SPSecurityTokenServiceConfig as briefly described at this link:
http://macaalay.com/2014/05/27/active-directory-groups-and-access-denied-in-sharepoint-2013/. I performed the steps and it did not work. I also
tried rebooting the server after that, and that did not work either. any thoughts?
Thanks in advance for your helpHi,
I tested the issue on SharePoint server 2013 without sp installed. It worked and I used global security group. I will test the issue on SharePoint 2013 sp1 later, and please provide more information to narrow down the issue.
Please go to site settings > site permissions > check permission, type in domain\user1, and post the result here.
If the user has been granted permission, please try logging on another machine to test if Windows credential casues the issue.
Did the issue occur to one site collection? Please test on other sites or web applications?
Please create new user to test the issue again.
Regards,
Rebecca Tu
TechNet Community Support -
HELP : how to change security group of a document in UCM
Hello all,
I'm working with UCM a few weeks ago, but I cannot find a solution for this problem :
I have defined two security groups and two roles,
SECURITY GROUP ROLE
A ---------> ROLE_A (RW)
B ---------->ROLE_B (RW)
Then I have two Local pages and access is controlled by security group :
LOCAL PAGE SECURITY GROUP
FOLDER_A -----> A
FOLDER_B -----> B
Then i have users A1,A2,...An for role A, and B1,B2 ...Bn for role B, but they are NOT administrators.
The problem comes when an error is detected in a document by a B user, and I need that user to be able to set the security group of the document to 'A', so that users in role A can fix the problem, for example. The thing is that it seems that if you are not an administrator you cannot edit the security group of a document and in my case regular users have to be able to do that.
I would like a way to have different groups of users (or roles), collaborating toguether and sending documents from one another, but with limited responsabilities. But once the document is under a security group, the users belonging to roles with no access to that sec. group should not be able to view or edit the document.
They will be able to act on the document if the security group is changed to something they can access.
Any help on this will be greatly appreciated.
Thanks and regards,
Plan.Hey Plan,
thats the way UCM works. that is only one part of the problem, your user will also need RW permission on the other security group to add a content in there. So only changing the security group is not the solution to your problem.
You may look at the collaboration/workflow functionality offered by UCM.
cheers,
swapnil -
Hi, can anyone tell me (under collaboration) what's the difference between user1 and user2 under this circumstances:
1. Projects being the security group that comes as default in the system.
user1 - Projects(RWD)
user2 - Projects(RWDA)
where local access (ACL) and account (Prj) permissions are the same?
2. Prj being the Account that comes as default in the system.
user1 - Prj(RWD)
user2 - Prj(RWDA)
where local access (ACL) and Projects (Security Group) permissions are the same?
Thanks!any help? plz
-
Hi All,
I am new (3 months) to the Oracle UCM system (10g) and have a basic query regarding security groups.
NOTE: We are going to use Accounts.
Should the security groups feature be used to control security level
eg
Public
Secure
Confidential
Top secret
or should they be used to segregate content
eg
IT
Finance
Marketing
etc
The documentation on this seems to be ambiguous and I was looking for some real world experiences.
Thanks, PaulIn general, security groups are for classification, accounts are for department. There are also user-based Access Control Lists for fine-grained control... but those can sometimes be a performance hog.
So, you should have about 5 security groups (public, internal, secure, top secret, etc.) and then nested accounts for each department or concern (HR, HR/USA, HR/Japan, Development, Development/ProjectAlpha/, etc.) if needed.
If security groups give you problems with workflows, use workflow templates, sub workflows, or place the logic in a component.
Out of curiosity... what specifically about the security model makes you think its inferior to Sharepoint? -
Excuse a novice, but the global security pane is not
displayed on the Adobe site, please HELPTnx for the answer ...now got it..
ALso whats the diferece b/w repository owner and runtime repository owner (OWBRT_SYS) as both have admin privilege i thnk.
Edited by: user10729112 on Jan 11, 2010 9:23 PM -
Unable to discover machine object in AD security group
I have just experience this as any machine object that I inserted into my security group are not able to be discovered after the discovery cycle.
Before this it was working perfectly. Newly inserted machine object in my security group will straight away be discovered and inserted into my collection.
I see the log (adsgdis.log), it seems that it was successfull discovered. My discovery set to every 1 day. But today i checked and it seems that it still not being populated into my collection. Need you guys advice any other troubleshooting steps that i
can do from my end?I have rerun the full discovery but until now still the same thing, my machine is not imported into the collection. Looked at adsgdis.log and seems that it successfully able to discover my security groups
as it says
"Successfully updated the Group membership tables for group 'Security Group Name'". But when I see in colleval.log, seems that its not able to include the machine object into the collection as it says
"Results refreshed for collection ABC, 0 entries changed". Im stuck here. Any advice what else I may be missing to check?
Questions: Wanna ask, do I have to enable the "Discover the membership of distribution group"
at the System Group Discovery properties as currently it is unchecked? I dont think so I need to enable it as I am discovering AD security group and not distribution group...
Maybe you are looking for
-
**imac vs. Dell XPS 720 or new 630--Help!!
Hi, I have been using windows and pc products for over 16 years. I am looking at getting the new imac 20" 2.4GHZ but, I am also looking at the Dell xps 720 and new 630. I am video editing quite a bit. I always use Vegas 8.0 Pro which is fantastic!(wi
-
Hows to get Web Results as the first entry on a page
How do I get rid of the "ads related to" "searches related to" "featured content" in the search results? I would like "web results" to be a the top of the page. Scrolling through all the unwanted results are cumbersome to me..thank you for your time.
-
Adding SSD to ASA 5555X or 5525X - general questions
I am prep'ing two HA pairs of ASAs for FirePOWER. I have (hot) installed the SSDs (two in 5555X and one in 5525X) and did not see the SSDs in SHOW INVENTORY. Upon reading the instructions in the ASA hardware guide, it says that you must reload the AS
-
Does anyone know if Apple is working on a fix for the duplicate photo issue in iPhoto?
I am debating on purchasing Duplicate Annihilator but the reviews sound mixed. Thanks
-
Transporting XML forms to another system.
Hi , I need to transport my XML project only one time to another sytem. What do i do ?? I do not want to setup and use ICE stuffs.... any ideas out there. is there some post processing stuff? thanks.