Description
Access Denied for Private Shares after joining an Active Directory Domain.
Domain Users and Groups add to the My Cloud have permissions set to DENY by default.
This can cause conflicts when a user is in many and/or nested Groups.
Resolution
User and Group Permission Requirements
The User and Group permissions must be Read Only or Read/Write.
All Groups, and Groups of Groups the user is a member of must have the same permissions.
The effective permissions of the user will be DENY if any Group or nested Group within a Group is set to DENY.
Check User Properties
Check the user account properties on the Domain Controller (DC).
Not a single Group the user is a member of can be set to DENY.
Take a screenshot or notes of all the Groups and nested Groups.
- Sign into the Domain Controller.
- Open Active Directory Users and Computers.
- Right-click the user account.
- Click Properties.
- Click the Member Of tab.
View all groups listed. - Do the process for all groups.
- Repeat the process again for any groups that are members of those groups.
- Do this process until all groups have been found. .
EXAMPLE:
This image shows user L3Admin is a member of SecGroupA.
SecGroupA is a member of sec2group.
sec2group could be a member of other Group(s).
My Cloud Permissions
Set the correct permissions for all the groups the user is a member of.
- Log in to the My Cloud.
Go to User and Groups. - Check the Domain User account.
Make sure all of the Groups the user is a member of does not have DENY set.
IMPORTANT:Granting access to a Domain Group WILL NOT grant access to other users in the same group since the default permission for imported Users and Groups on the My Cloud are set to DENY.
- Check and make sure any nested Domain Groups are granted access to the Private Share.
Example # 1:
If the user L3Admin is a member of SecGroupA,
SecGroupA is a member of sec2group,
access to the Private Share will need to be granted to L3Admin, SecGroupA, and sec2group.
They MUST BE Read Only or Read/Write.
The examples below show the effective permissions if any of the groups are NOT CHANGED from the default DENY permission. |
User | Domain Users group | Domain Admins group | = | Effective permission |
---|---|---|---|---|
Read / Write | Read Only | Deny | = | Deny |
Read / Write | Deny | Read / Write | = | Deny |
Deny | Read / Write | Read Only | = | Deny |
Read / Write | Read Only | Read Only | = | Read / Write |
Example # 2:
If User A is a member of the Accounting group,Accounting group is a member of the Payroll group,
access to the Private Share will need to be granted to User A, Accounting group, and Payroll group.
User A | Accounting group | Payroll group | = | Effective permission |
---|---|---|---|---|
Read / Write | Read Only | Deny | = | Deny |
Read / Write | Deny | Read / Write | = | Deny |
Deny | Read / Write | Read Only | = | Deny |
Read / Write | Read Only | Read Only | = | Read / Write |
Example # 3:
If User A is a member of the Support group,
Support group is a member of the Engineering group,
access to the Private Share will need to be granted to User A, Support group, and Engineering group.
User A | Support group | Engineering group | = | Effective permission |
---|---|---|---|---|
Read / Write | Read Only | Deny | = | Deny |
Read / Write | Deny | Read / Write | = | Deny |
Deny | Read / Write | Read Only | = | Deny |
Read / Write | Read Only | Read Only | = | Read / Write |
Example # 4:
If User A is a member of the Support group,
Support group is a member of the Engineering group,
Engineering group is a member of the Quality Assurance group, or ANY other group,
access to the Private Share will need to be granted to User A, Support group, Engineering group, Quality Assurance group, and all of the other nested groups.
User A | Support group | Engineering group | Quality Assurance group | = | Effective permission |
---|---|---|---|---|---|
Read / Write | Read Only | Read Only | Deny | = | Deny |
Read / Write | Read Only | Read / Write | Deny | = | Deny |
Read Only | Read / Write | Read Only | Deny | = | Deny |
Read / Write | Read Only | Read Only | Read Only | = | Read / Write |
User A | Support group | Engineering group | Nested group 1 | Nested group 2 | Nested group 3 | = | Effective permission |
---|---|---|---|---|---|---|---|
Read / Write | Read Only | Read Only | Deny | Read / Write | Read / Write | = | Deny |
Read / Write | Read Only | Read / Write | Read Only | Deny | Read Only | = | Deny |
Read Only | Read / Write | Read Only | Read Only | Read / Write | Deny | = | Deny |
Read / Write | Read Only | Read Only | Read Only | Read / Write | Read / Write | = | Read / Write |