Remember: Security Groups Aren’t Dynamic

Today I finished setting up a folder on a share and restricted it to only allow certain people access. There’s nothing unusual about this; you’ve probably done it yourself. I’ve done it myself a large number of times too. What is unusual is that it took me two days to figure out why it wasn’t working.

It’s considered good practice to set file and folder permissions on groups rather than users. That way, if someone leaves, it’s quicker to take them out of the group than have to re-assign all of the permissions to someone else. Also, should someone else need access to the folder, you don’t need to copy the permissions over to them. Therefore, I set up the groups needed in Active Directory and added the people to it. One group was for users who could access all of the files, and another group to provide read only access.

Then it was a case of adding the groups to the folder on the share and giving the relevant permissions to the groups. Full control to one group, read only access to the other and deny access to everyone else.
The folder permissions showing the various access levels to each security group

After that, I just needed to let the staff members know the folder was set up and they could put what they wanted into it. They called not long after to say this message was coming up:

An access denied message to the folder

For some reason the users weren’t able to access the new folder. Ah, silly me, the people who were in the full access group were also in the read only group. I took them out and announced it should be fine again.

An access denied message to the folder
I really don’t like this message

It wasn’t. Hmm… something was definitely amiss. OK, time to do some digging. I knew that adding a user manually to the group allowed them to access the files and folders, but when I took them out they were denied access. Looking at the effective permissions for a user in the full access group, and a user who only had read access, showed that they were being applied correctly.

I’m putting this down to sleepiness on a Friday afternoon, but I honestly couldn’t see what was going wrong. I’d done this lots of times in the past and every time there wasn’t a problem. I re-created the groups, put users back into them, added the groups to the folder and checked the right permissions were being applied. Three times I did this, then gave up.

Monday came around, a user asked if it was fixed yet, and I said no but decided to have another go. This time though, I searched on the Internet before trying anything else. One of the top results was this post on Edugeek:

The solution to the problem that I'd been having as a post on Edugeek
I love Edugeek

Most specifically was this line:

were they in the group when they logged on as if you add a user to a group it dosent[sic] make any odds until they log off and back on again

I’d forgotten that changes made to security groups needed to have the user logged off and on again! In my defence, when I’ve made changes in the past the user wasn’t logged on the computer (I made the changes by going to their computer) whereas this time I was doing it on a different computer. I’d also assumed that the user had tried to access it before asking me on the Monday, but it turns out they hadn’t.

So, the lesson to take away from today is that security groups, unlike distribution groups, don’t dynamically give you access to the resources. Right, I’m off now to find someone else to blame for this.

Additional Method

Once I’d known the reason it wasn’t working, I had a look around to see if there’s a way to prevent having to log people off. According to a few sources, the following should allow this to happen if you type it into a command prompt window. I haven’t tested it, but the logic seems to be there.

Leave a Reply

Your email address will not be published. Required fields are marked *