We just recovered from a major hardware disaster, and had to restore all of our data from an offsite backup. In the process, we upgraded from a Windows Server 2008 R2 to a Windows Server 2012 R2 Standard file server.
We have one folder that houses nearly all of our more secure data, and in order to simplify and keep organized the various NTFS permissions on the various folders in this one main folder, I have created several custom security groups and added domain users to the groups as needed.
Here's where it's getting weird. These permissions are not working. No one can access the main folder when they're in a group that has been granted permission. However, if I grant permissions to individual domain users, they are able to access the folder.
I have verified that share permissions are set properly (everyone – full control). I have used the "Effective Access" tab to verify that users in the custom groups do, in fact, have the appropriate levels of access. But unless I assign permission to users individually, they cannot access the folder.
What is happening here? Can anyone help me?
Best Answer
Have these users logged out and back into their computers since you added them to the new groups?
When a user logs into their workstation they are granted a ticket granting ticket (TGT) by the authentication domain controller. That TGT contains information about their group membership (SIDs) and doesn't expire for some time. Your computer uses this TGT to request access to network resources.
Your TGT naturally contains your account SID, which is why adding users individually works. But the new group SIDs are probably not a part of anyone's TGT yet.
You need to log off and back on to the local computer in order to request a new TGT from your domain controller whenever the user's group membership changes.