Windows File sharing using Active Directory Groups

I've got one Domain Controller for our small network (~20 users). It's running Win Server 2k3.

I have added a Global Security Group (MYDOMAIN\GroupA) and added 3 users to it (MYDOMAIN\UserA, MYDOMAIN\UserB, MYDOMAIN\UserC).

I have a separate computer running Windows Server 2k3 that's named fileserver (you guessed it, it just has file shares on it). It's joined to the domain.

I have a share:

D:\Docs\ShareOne

I have set it up to be shared with Share Permissions: "Everyone / Full Control"

Then the NTFS permissions only permit MYDOMAIN\GroupA to have Full Control over it.

However, I'm experiencing very strange problems.

I have 3 workstations (2 XP and one Vista) that are joined to the domain and UserA, UserB, and UserC are all logged in to MYDOMAIN.

UserA who is running XP can run \\fileserver\ShareOne and access the files fine.

UserB (on XP) and UserC (on Vista) however type in \\fileserver\ShareOne into Explorer, hit enter and are greeted with a friendly "Access Denied" error.

I even had UserB (whos on XP) restart their entire machine, relogin and they still cannot access the share.

Why would this be happening? Something very very strange is happening.


I'd strongly recommend turning on auditing of "Logon" failures in the local security policy of FILESERVER (Start / Run / GPEDIT.MSC - Navigate to "Computer Configuration", "Windows Settings", "Security Settings", "Local Policies", "and "Audit Policy"), run "GPUPDATE", and watch the "Security" event log after a failure to see what shows up. (I am assuming, by way of directing you to the local security policy, that you don't have domain policy overriding it.)

Can you verify that other combinations of client computers and users do or do not exhibit the problem (i.e. "UserA" on the comptuer normally used by "UserB", etc)?

This has the feel of a problem re: SMB signing or NTLM level, but I'd think that all your OS's are set to their stock confgurations and should work fine. Just for kicks, run Resultant Set of Policy on a working and non-working client computer and compare the settings in "Computer Settings", "Windows Settings", "Security Settings", "Security Options" related to "Domain Member: ..." and "Microsoft network client: ...".)

One more silly thing: Is the name FILESERVER resolving to the same IP address on all the clients?


Have you tried the two user accounts that are denied on the computer than has the user working fine? This may at least work as a process of elimination. If they can access it okay through that computer then perhaps suspect the computer configuration or domain/computer relationship. Perhaps disjoin them and rejoin them to the domain. But first check if the user accounts can access the shares on that other computer. Or you could create another share with everyone with access to it and see if these user accounts can access this on at all. This may give you a little bit more insight into the matter as well.