OSX 10.8 and SMB Shares with Access Based Enumeration.

Similar Messages

• SMB Share with Access Based Enumeration & Mac OSX 10.8/10.9

  Hello,
  I've been working on a bit of a problem related to some SMB Shares on Windows Server 2012 with Access Based Enumeration with Mac OSX 10.8 & 10.9.
  Basically, we have one network share that mounts for all of our Students & Faculty on campus. Then, based on which security group the user is inside of in Active Directory, they gain access and visibility to different folders. (Basically, if they are members of the graphic design department, they get access to the Graphic Design's folder). All of that is working fine, no problems. From there we have 3 folders that branch off. We have a Distribution, an Open, and a Dropbox folder.
  Distribution is setup as a spot for instructors to have full access, students have read access, They're able to drop files into this locations, to distribute them to their students. This folder is working fine, no problems.
  Open is setup with everyone read/write access across the board. This folder is setup for students to share data to each other, work on projects, etc. This folder is working as intended, no problems.
  Dropbox is the only folder we're having trouble with, i'm assuming because it's settings are the most complex out of the three. The purpose of the drop box is for students to have read/write control over their own content, but not others, and instructors to have read/write over this entire folder.
  Now that I've laid out our Setup, the problem we've encountered, is ONLY occurring inside of the Dropbox folder. When I try to Drag/Drop OR Copy/Paste from another location on the computer into the Dropbox folder, I get a permission error. HOWEVER, if I have a file open, and I click "save as" browse to the dropbox folder, I can save the file into that location without any trouble. Also, on our windows computers, with the same exact users, drag/drop & Copy/Paste work normally.
  Things I've Tried:
  Disabling the .DS_Store - I figured in the drop box, the .DS_Store would be created by the first user who copied a file in, then subsequent users would not have access to the .DS_Store.
  CIFS/SMB1 - I've read that SMB2 can cause some trouble while connecting to SMB Shares, so I tried both connecting via CIFS, and also by forcing back to SMB1, with no fix.
  Am I missing something with this? I've read a lot about people having trouble connecting to SMB Shares, but for us it had not been a problem up until this point. Does anyone know what a possible fix might be for this? I'm sifting through internet searches right now, trying to find a solution, however MOST of the responses I see are regarding the two things I've already tried.
  Any suggestions would be greatly appreciated.
  Thanks!

  hi everybody
  I really need some help so here is a little up !
  thanks !

• File Locks and SMB shares with ML

  I've been doing a lot of research on SMB and the way it locks files during access. I've made a lot of ground work in my research but could use a little further assistance from this support community.
  The symptom is simple to explain: Users are occasionally being prompt for a username and password when attempting to rename or move files and folders.
  After doing some research on this topic, I have discovered that there is a direct relationship to files being open on the server at the time the user is attempting to rename or move the folder. The following thread, albiet old, appears to have nailed the problem on the head http://arstechnica.com/civis/viewtopic.php?p=24558131. In particular, there appears to be file locking happening when preview is turned on through the finder. I've had all users remove preview from their Macs and this appears to have helped reduce the occurances of the password prompt, but has not completly solved the problem. This is also a work around, not a fix.
  I've been using a series of command to help me trace the problem including openfile.exe on the Windows 2012 Storage Server (sharing the files via smb only) to discover who has what files open on the server, and the lsof command on the client workstations to discover what process has the file open. So far, the finder is consistently the only thing with the file open... even with the finder preview turned off. I've also found that the "open file" is simply the fact that the offending users Mac has a finder window with just the folder open (none of the files within the folder or previews open).
  Is the real solution to simply close all finder windows when you're done working in a folder, or is there more that anyone can think of to help me find out exactly what is holding the file lock? Is this a known bug in the SMB implementation of ML? Can we expect to see a fix with Mavericks which will now be using SMB2.0?
  Any help or information anyone can provide would be greatly appreciated. I have a bunch of documentation on this issue and would be happy to share. Please let me know if anyone needs any additional details.

  Hello all - many apologies for my delay in posting here; and Squiggle, thanks for the second-hand nudge. As Stephen said we have been testing a solution concerning a setting in Finder's view options for the last few months, and these seem to have solved the issue in hand.
  Essentially, we found that Finder was holding files open whenever the 'Show Icon Preview' option was set, on any of the four folder views, on any client machine accessing the share. Below is a piece of documentation I wrote up for our Service desk explaining how to diagnose and manually fix this issue on the client:
          - In Finder, open any folder
          - Click on the cog icon and select 'show view options.' Check that, in the dialogue box which appears, the 'Show icon preview' box is not checked. Click the other three Finder views and check it's turned off here too.
          - Click 'Use as Defaults'
  In order to make this change remotely on multiple machines, you will need to change the clients' com.apple.plist files, and set every instance of the <showIconPreview> key to <False>. This is nested within several key / dictionary pairs in com.apple.finder.plist, once under <standardViewOptions> and thrice within <standardViewSettings>. As Stephen has already mentioned, the fact that this key is nestled deep within compound dictionaries seems to render them untouchable by defaults, though I would be very happy to be corrected on this.
  How you push this change out will depend on your management system. We had been using Casper to
  to create a managed preference pertaining to <standardViewOptions> and <standardViewSettings> within com.apple.finder.plist. These contained as values the entire dictionary associated with these keys, with the value for each <showIconPreview> set to false. This was then applied at a User Enforced Level (running every logon after Finder has set up the system defaults).
  As a side note, I have found that certain machines (Such as the 10.8.3 machine I'm working on now) contain a key named <FK_StandardViewSettings>, which I have been unable to ascertain the purpose or origination of. These don't seem to affect the fix, so we've left them alone.
  Irritatingly, Casper has dropped support for custom Managed Preferences in their latest release, so this problem has now resurfaced. I will keep this page updated with any fixes or workarounds I find.
  Hope that helps,
  Josh Smith

• Problem with access based enumeration

  Hello.
  We still have about 500 Windows XP SP3 computers in our organization. We have Windows 2008 R2 file cluster with ABE-enabled shares. When we try to access shares from XP computers we have symptoms as described in KB941598 ("Path not found" when
  user has no permissions on the upper folders and he uses dialog window or explorer address bar but not "Run" command from Start menu):
  https://support.microsoft.com/en-us/kb/941598. We have no this problem on Windows 7 after KB2821343 installing in 2013.
  We can't install KB941598 hotfix because SP3 already installed. Shell32.dll version is 6.00.2900.6242, XPSP3res.dll version is 5.1.2600.5512.

  Hi,
  Do you try to install the KB941598 hotfix? It seems that the hotfix is included in Windows XP Service Pack 3. Please see:
  List of fixes that are included in Windows XP Service Pack 3
  https://support.microsoft.com/en-us/kb/946480
  Best Regards,
  Mandy
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Using single SMB share with multiple Hyper-V clusters

  Hello,
  I'm trying to find out if I can use a single SMB share with multiple Hyper-V Clusters. Looking at:
  How to Assign SMB 3.0 File Shares to Hyper-V Hosts and Clusters in VMM
  I think it's possible. Since the File Server is going to handle the file locking it shouldn't be a problem.
  Has anyone tried that?
  Thank you in advance!

  Hello,
  I'm not sure that's possible, I get this from this statement:"Assign the share—Assign
  the share to a virtual machine host or cluster."
  Even if it worked I wouldn't do that. Why don't  you just create multiple shares?

• Windows Server 2012: SMB share with transparent failover

  Have a nice day to all!
  I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
  So, there are 2 arrays on every server:
  1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
  2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
  And I installed Windows Server 2012 Standard on each server.
  Than I created a failover two-nodes cluster.
  And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
  VMs even if one node of SMB share cluster is failed.
  I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
  Can anyone advice me something?
  Thanks in advance!

  Have a nice day to all!
  I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
  So, there are 2 arrays on every server:
  1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
  2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
  And I installed Windows Server 2012 Standard on each server.
  Than I created a failover two-nodes cluster.
  And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
  VMs even if one node of SMB share cluster is failed.
  I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
  Can anyone advice me something?
  Thanks in advance!
  You need to have your storage you want to export as being a shared storage visible to your cluster (part of CSV). Then you'll configure failover file shares using content accessible from both cluster nodes. Refer to this manual for diagrams (ignore StarWind
  and replace it logically with your existing shared storage you've used to create your cluster):
  http://www.starwindsoftware.com/configuring-ha-file-server-on-windows-server-2012-for-smb-nas
  Also see these manuals from MS on how to create failover file server:
  http://technet.microsoft.com/en-us/library/cc753969.aspx
  http://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx
  http://blogs.technet.com/b/askcore/archive/2010/08/19/working-with-file-shares-in-windows-server-2008-r2-failover-clusters.aspx
  However if you want to use existing storage located on the both nodes you're out of luck. Microsoft does not provide anything representing local DAS to the cluster nodes. If you want to use existing DAS then you'll have to stick with a third-party product
  like StarWind, SteelEye or DataCore. To create something like in this picture:
  So you'll have a configuration with only two nodes, no physical shared hardware (SAS JBOD, FC or iSCSI) and vSAN. Refer to this manual:
  http://www.starwindsoftware.com/ns-configuring-ha-file-server-for-smb-nas
  Hope this helped :)
  StarWind iSCSI SAN & NAS

• Powershell: Set Access Based Enumeration on share in Failover Cluster

  Hi guys, 
  I'm facing the following problem. Below you see my script to create a shared folder. (My folder share is visible in failover cluster manager, underneath clustergroup TESTSTO01.) 
  Now I need to enable Access Based Enumeration on this share. Has anyone a clue how to do that in powershell? (Version 2). 
  I also need to make sure that the files and programs are not available offline. 
  Thanks in advance! 
  $SHARE_READ = 1179817     # 100100000000010101001  
  $SHARE_CHANGE = 1245631 # 100110000000100010110     
  $SHARE_FULL = 2032127     # 111110000000111111111  
  $SHARE_NONE = 1         # 000000000000000000001  
  $ACETYPE_ACCESS_ALLOWED = 0  
  $ACETYPE_ACCESS_DENIED = 1  
  $ACETYPE_SYSTEM_AUDIT = 2  
  $ACEFLAG_INHERIT_ACE = 2  
  $ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 4  
  $ACEFLAG_INHERIT_ONLY_ACE = 8  
  $ACEFLAG_INHERITED_ACE = 16  
  $ACEFLAG_VALID_INHERIT_FLAGS = 31  
  $ACEFLAG_SUCCESSFUL_ACCESS = 64  
  $ACEFLAG_FAILED_ACCESS = 128  
  # New Trustee  
  function New-Trustee($Domain, $User)  
  $Trustee = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_Trustee").CreateInstance()
      $Trustee.Domain = $Domain  
      $Trustee.Name = $User  
      if ($User -eq "Administrators")
  {$Trustee.SID = @(1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0,32,2,0,0)}
  else 
  {$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)} 
      return $Trustee  
  # New ACE  
  function New-ACE($Domain, $User, $Access, $Type, $Flags)  
  $ACE = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_ACE").CreateInstance()
      $ACE.AccessMask = $Access  
      $ACE.AceFlags = $Flags  
      $ACE.AceType = $Type  
      $ACE.Trustee = New-Trustee $Domain $User 
      return $ACE   
  # Get SD  
  function Get-SD
  $sd = ([WMIClass]"\\TESTSTO01\root\cimv2:Win32_SecurityDescriptor").CreateInstance()  
  $ACE1 = New-ACE -Domain $null -User "Everyone" -Access $SHARE_CHANGE -Type $ACETYPE_ACCESS_ALLOWED -Flags $ACEFLAG_INHERIT_ACE  
  $ACE2 = New-ACE -Domain $null -User "Administrators" -Access $SHARE_FULL -Type $ACETYPE_ACCESS_ALLOWED -Flags $ACEFLAG_INHERIT_ACE 
  [System.Management.ManagementObject[]] $DACL = $ACE1, $ACE2
  $sd.DACL =$DACL
  return $sd
  # Create-Share  
  function Create-Share($ShareName, $Path, $Comment,$Access)  
      $checkShare = (Get-WmiObject Win32_Share -Filter "Name='$ShareName'")  
      if ($checkShare -ne $null) {  
          # "Share exists and will now be deteted!!!"  
          get-WmiObject Win32_Share -Filter "Name='$ShareName'" | foreach-object { $_.Delete() }  
      $wmishare = [WMIClass] "\\TESTSTO01\ROOT\CIMV2:Win32_Share"  
  $Access = Get-SD
      $R = $wmishare.Create($Path,$Sharename,0,$null,$Comment,"", $Access)  
      if ($R.ReturnValue -ne 0) {  
          Write-Error "Error while creating share: " + $R.ReturnValue  
          exit  
      # Write-Host "Share has been created."  
  # Create first share with permissons **********************************  
  $ShareName = "$Company$"  
  $Path = "$Driveletter" + ":\$Company"  
  $Comment = ""  
  $Domain = $Null 
  Create-Share $ShareName $Path $Comment $Access

  Unable to find type [CmdletBinding(SupportsShouldProcess=$TRUE)]: make sure tha
  t the assembly containing this type is loaded.
  At C:\Script Nathalie\Everyware2.ps1:294 char:45
  + [CmdletBinding(SupportsShouldProcess=$TRUE)] <<<<
      + CategoryInfo          : InvalidOperation: (CmdletBinding(S...dProcess=$T
     RUE):String) [], RuntimeException
      + FullyQualifiedErrorId : TypeNotFound
  The term 'param' is not recognized as the name of a cmdlet, function, script fi
  le, or operable program. Check the spelling of the name, or if a path was inclu
  ded, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:295 char:6
  + param <<<< (
      + CategoryInfo          : ObjectNotFound: (param:String) [], CommandNotFou
     ndException
      + FullyQualifiedErrorId : CommandNotFoundException
  The term 'begin' is not recognized as the name of a cmdlet, function, script fi
  le, or operable program. Check the spelling of the name, or if a path was inclu
  ded, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:304 char:6
  + begin <<<<  {
      + CategoryInfo          : ObjectNotFound: (begin:String) [], CommandNotFou
     ndException
      + FullyQualifiedErrorId : CommandNotFoundException
  Get-Process : Cannot evaluate parameter 'Name' because its argument is specifie
  d as a script block and there is no input. A script block cannot be evaluated w
  ithout input.
  At C:\Script Nathalie\Everyware2.ps1:331 char:8
  + process <<<<  {
      + CategoryInfo          : MetadataError: (:) [Get-Process], ParameterBindi
     ngException
      + FullyQualifiedErrorId : ScriptBlockArgumentNoInput,Microsoft.PowerShell.
     Commands.GetProcessCommand
  The term 'end' is not recognized as the name of a cmdlet, function, script file
  , or operable program. Check the spelling of the name, or if a path was include
  d, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:345 char:4
  + end <<<<  {
      + CategoryInfo          : ObjectNotFound: (end:String) [], CommandNotFound
     Exception
      + FullyQualifiedErrorId : CommandNotFoundException
  The term 'set-shareABE' is not recognized as the name of a cmdlet, function, sc
  ript file, or operable program. Check the spelling of the name, or if a path wa
  s included, verify that the path is correct and try again.
  At C:\Script Nathalie\Everyware2.ps1:348 char:13
  + set-shareABE <<<<  TESTSTO01 $Company$ -Enable
      + CategoryInfo          : ObjectNotFound: (set-shareABE:String) [], Comman
     dNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException

• Access Based Enumeration not working Windows 2012 R2 Datacenter

  I am having a hard time figuring out why Access Based Enumeration is not working for me.  I have set and re-set the settings and I'm still able to see folders I should not. I do get denied access on folders I don't have access to. 
  I have checked effective access which say everything is denied to me but I can still see the folder(s) listed. 
  I have the share permissions set to authenticated Users - Full Control
  I have the NTFS permissions set to the correct Dept. Groups. - Modify, and Domain Admins - Full Control and Guests - Deny Full Control
  Any idea's?
  --------Update--------
  I believe I had found the issue.  It was a rights issue with a group that added to the local admins group.

  Hi,
  It seems that you have resolve the issue.
  Please feel free to let us know if you need further assistance.
  Best Regards,
  Mandy
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Access Based Enumeration on CAD /Design Files 2008 R2

  Hi,
  I'm currently having some issues with our Windows Server 2008 R2 File Cluster, where the System Process is chugging along @ 80-95% CPU, which I personally find strange. After 2-3 hours of this type of resource utilization, we experience a failover to our
  passive node. After a few hours of user connectivity and build it the same thing happens again.
  Using ProcessExplorer I have been able to identify the srv2.sys driver having massive amounts of threads being created, with several running at 10-15% + CPU utilization per thread. srv2.sys driver is for SMBv2 Connectivity from my research and troubleshooting
  of these issues.
  I have had a ticket opened with MS Premier Support and I have completed installing all of the latest srv2.sys file updates to the latest version for 2008 R2, but we still seem to be having the issues, although it is intermittently. One of these fixes was in
  relation to enabling Access Based Enumeration to a certain level within your File System/Structure (http://support.microsoft.com/kb/2732618/en-us)
  Other hotfix installed is
  http://support.microsoft.com/kb/2831154/en-us
  We have users who run multiple image and CAD applications (Adobe InDesign, AutoCAD, MicroStation, Revit etc) across our network drives, as well as what I would call "standard" File Server access (word docs, spreadsheets, PDF's, powerpoint presentations
  etc).
  We have ABE enabled across all volumes.
  At the moment, I am praying for the server to again reach 100% CPU capacity due to the System Process using these resources.
  What I was wanting to ask is, are there any known issues with using Access Based enumeration of Drives for users/applications that use these InDesign/AutoCAD like applications?
  The reason I ask this is that when we experience this issue I notice more activity on our volumes that host these CAD/Design files, compared to when we experience a period of stability on the system.
  I have read on a few articles regarding Microstation that if it is a specific version, that you should disable SMBv2 via registry to revert to SMBv1 for better use/stability. I am going down the path of disabling SMB2 for all users who use these CAD applications
  to see if this assists in resolving the issue, but I'm trying to explore all  other options/potential issues to better configure our File Cluster
  Looking for guidance on troubleshooting this issue further.
  Thanks in advance.

  Hi,
  After the hotfix is installed, did you create a new registry entry? If not, please following the steps below to create a new registry entry:
  1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter. 
  2. Locate and then click the following registry subkey: 
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
  3. On the Edit menu, point to New, and then click DWORD (32 bit) Value. 
  4. Type ABELevel, and then press Enter. 
  5. On the Edit menu, click Modify. 
  6. In the Value data box, type a number according to the level that ABE is enabled on the shared folder, and then click OK. 
  7. Exit Registry Editor.
  Note: The ABELevel value specifies the maximum level of the folders on which the ABE feature is enabled. For example if you enable ABE on \\Server\share, you must set the ABELevel value to 1. If you enable ABE on \\Server\share\share, you must set the ABELevel
  value to 2. If the ABELevel value is not set or has value of 0, then this hotfix is not enabled.
  The value of the above mentioned key is set as follows: 
  Value = 0: ABE is enabled for all levels (default behavior without key as well) 
  Value = 1: ABE enabled for depth of 1 (\server\share) 
  Value = 2: ABE enabled for depth of 2 (\server\share\folder) 
  And so on for multiple levels. 
  Please configure this registry key with the value that’s most suitable for your environment.
  Regards,
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Some folder is empty when enabled access-based enumeration + Deduplication

  Hi Everyone,
  Background:
  Recently we migrated the file server to win2012 r2.  We have enabled dedupication and enabled access-based enumeration. 
  The data stored in D drive vm, so we just connected the D drive to the new 2012 r2 server.  Security rights all the same as before.  
  Problem:
  People reported that they can see their files and folders directly under their client folders, however some of the sub-folders are empty. when we checked from our file server, those sub-folder have files
  inside.  
  We did some test, we tried to disabled access-based enumeration, checked from user shared drive and see the files are visible again inside the folder.
  Has anyone experienced that before and can give me the solution?
  Thanks!!
  MT

  Hi,
  From the symptom it should related to Access Based Enumeration which means it is affected by NTFS permission settings. Please help list the NTFS permission settings on folders and an affect file. 
  Meanwhile you can try to create another share folder with basic NTFS permissions such as:
  Domain Admins: Full Control - This folder, subfolders and files.
  Creator Owner: Full Control - subfolders and files only.
  A testuser group: Modify (on a specific subfolder and its files).
  Everyone - Read - This folder only. 
  Then add the additional permissions which is added on your real shares to the test share one by one to see which one causes the issue. 
  If you have any feedback on our support, please send to [email protected]

• ABE Access based enumeration not working

  Hello there,
  we have a brand new Windows 2012 R2 file server with one share \\server\share1, ABE enabled on this share.
  Read access for all Domain users on share.
  This share has 2 subfolders, folder1 and folder2.
  User Jon has set NTFS read write rights on folder1, but no access rights on folder2 (all set on security tab)
  Now when User Jon connects to this share he still sees both folders, but access denied on folder2.
  Why can he still see folder2 even when ABE is enabled? Also checked effective rights on folder2, no access.
  Thanks in advance

  Hi,
  Please try to recreate the folders to check if it could resovle thie issue. Do you share the subfolder? If so, the subfolder can still been viewed when browsing the server.
  For more detailed information, please refer to the thread below:
  Does Access Based Enumeration work with NTFS permissions?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/fd9b8e65-f519-4c24-b721-5a1b9d61f13f/does-access-based-enumeration-work-with-ntfs-permissions
  Best Regards,
  Mandy 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Windows 2012 Standard File Server Clustering SMB Share Error: Access is denied.

  Hi All,
  My setup consist of 2 nodes clustered with File Server role.  I can successfully failover role to either node with no issues.  But if I try to modify the permissions of any file share on my file server cluster I get the following error: Error
  Occurred while updating an SMB share: Access is denied.  Access is denied.
  Now I played around with the permissions on these shares and noticed that when I add the "everyone" group to these shares with change permissions I can successfully modify the shares with no errors.  If I removed the "everyone" group
  I get the error.  So to tell its like some service or account needs permission to these shares to be able to modify them.  I don't want to keep "everyone" group on these shares.  Can anyone please shed some light on what group, user,
  or service account needs permissions on these shared in order for me to modify these SMB shares without getting Access is denied.  Thanks

  Hi,
  It seems your account don’t have the enough right to modify this clustered folder permission.
  More information:
  Create a Shared Folder in a Clustered File Server
  http://technet.microsoft.com/en-us/library/cc732302.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• New SMB share - can access only from owner node

  Two nodes new Windows 2012R2 cluster on Azure. Setup all completed OK and with no issue. Cluster is online and can failover to both nodes. Create FileServer and then created couple of share using SMB quick. Access left for the default "EveryOne Full
  control"
  Now, I can access the share from the current node of the cluster and ONLY  if I failover the cluster to the second , I started to access the share. Also other machines on the same network can not access the share (All Windows 2012R2)
  I saw few similar posts and read them all , but that does seem to help me. Please advise of any information to resolve this.
  Thanks

  Hi Sir,
  >>Create FileServer and then created couple of share using SMB quick. Access left for the default "EveryOne Full control"
  If you share the folder in Windows Explorer as you normally would for a file share , Please refer to following article regarding to add a file share on existing cluster :
  http://msdn.microsoft.com/en-us/library/dd897486(v=bts.10).aspx
  http://msdn.microsoft.com/en-us/library/dd897474(v=bts.10).aspx
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Active Directory, Windows 2003 SP2 Server and SMB shares

  I have 10 new iMacs that will be returned and exchanged for 10 HP wintels if I can't resolve an issue with SMB shares in Mac OS X 10.4.9.
  We had an old win 2000 server, and all the macs could mount their smb shares without problems.
  Recently we upgraded to two new 2003 sp2 servers, one of them the domain controller, and we can't mount their SMB shares. I followed this http://weblog.bignerdranch.com/?p=6&page=3 and/or this http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x to allow AD authentication, but still, I can't mount the 2003 shares (but can with the 2000 ones!!!).
  If I enable SFM (services for macintosh) then I can mount the shares, but:
  1) the network is slower (I supouse is due to appletalk implementation)
  2) and worse, names with more than 32 characters or with some special characters are not allowed. This renders 30% of our archives unavailable with the AFP solution.
  I also used all the authentication methods (Plain text apple, plain text windows, etc.) but no one works.
  I have now 10 days to find a solution, or all "my" macs will dissapear forever.
  Please, some advice or point to documentation.
  G4, G5, iMac Intel, Mac Book Pro, etc   Mac OS X (10.4.9)  

  Do you just want to mount arbitrary share from the win servers or do you want the macs to be bound to AD?
  The first requires the steps from your second link (allinthehead.com) but the latter (bind to AD) requires things like proper use of DNS, time synchronisation for kerberos to work and proper configuration as described in your first link (bignerdranch.com).
  Here are some more links for the latter (AD intergration):
  http://www.bombich.com/mactips/activedir.html
  http://www.afp548.com/article.php?story=20051202151540574&query=ad-od
  HTH
  -Ralph

• Confusion of aliases made for two SMB shares with same folder name

  I have a SMB file server here which provides me with a Departmental personal home filestore and also a Departmental personal web filestore. The name of the folder is the same in each case - my Departmental user name. If I check the Finder Preference 'Show these items on the desktop' for 'Connected servers', I can use the Finder's 'Connect to Server' for each - smb://webhome/john and smb://home/john - to make each of them appear on my desktop as 'john'.
  It's rather confusing to have to remember that (say) the upper 'john' is my home filestore and the lower one is my web filestore, so I use Finder 'Make Alias' (e.g. via right click on each when selected') to create two aliases I can name 'web john' and 'home john'.
  Alas, each alias always points to the same (apparently randomly selected) share!
  This looks like a bug to me. I've tried unchecking the Finder 'Connected servers' preference, and then the shares appear under folder 'SHARE' - where I cannot create any aliases at all; I get the error message 'Operation could not be completed (Error -8058)'.
  Reader, do you know of a work-around which will let me distinguish on my desktop between my two identically-named folders from different shares? Alas, I have no power to change the names of the original folders.
  John A. Murdie

  +It's rather confusing to have to remember that (say) the upper 'john' is my home filestore and the lower one is my web filestore, so I use Finder 'Make Alias' (e.g. via right click on each when selected') to create two aliases I can name 'web john' and 'home john'.+
  I should have said that one cannot rename the share icons in the usual way. Not being able to do this is the real bug here. If I'd been able to do this I wouldn't have need to try to create aliases, of course.
  John A. Murdie