I've got this share where I want to restrict access to two folders so that only members of a group can get access to them. I've done this countless of times, but this time there's something odd going on.
The root folder has these permissions set:
SYSTEM - Full access
Administrator - Full Access
Administrators (FILE01\Administrators) - Full Access
All in sales dpt (SALENET\All in sales dpt) - Full Access
This is so that everyone can get access to the root folder
Every subfolder has activated inheritable permissions from object's parent. But not the two folders I want to restrict permissions for!
So, these two folders have turned off inheritable permissions from object's parent. And also have these permissions set:
SYSTEM - Full access
Administrator - Full Access
Administrators (FILE01\Administrators) - Full Access
testgroup (SALENET\testgroup) - Full Access
Now, my test user is a member of the testgroup. But still, this folder doesn't show up. But if I manually add the test user directly to the permissions, it works right away. So why doesn't it work when adding the group? I tried to log off and on again, but that didn't do anything. Do I have to restart the file server in order to make this work?
Might be worth mentioning that these folders, test user and both groups are newly created. And no restart has been made on either domain controllers nor file servers. But I did restart my own client, as I mentioned. What's causing this? And why does it happen?
Best Answer
You need to wait a bit for all the domain controllers to see the new groups.
What's likely happening is that you create the group on DC 1, and your file server is authenticating users against DC 2. If you turn on auditing login events on the file server you might be able to see why the login failed.
You can check in AD Sites and Services to see how often the domain controllers sync between each other. The minimum is 15 minutes, but it can be set longer than that.