No announcement yet.

AD Nested Groups not always receiving permissions

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Nested Groups not always receiving permissions

    We have multiple domains in our forest. We use Universal Security Groups for our department names, and Universal Security Groups for job titles. Within the job titles group is where we list the individual users.

    Every once in a while, we will have an instance where a user is a member of their job title Universal Security Group, which is a member of their departmental Universal Group, but cannot access a share, even though that departmental Universal Group has the correct permissions assigned on the share. Furthermore, another member in that same job title group can access the share.

    The only fix that I have found thus far is to add the user directly to the share's permission.

    Has anyone come across this before? Like I said, it only happens every so often, but I have yet to find an explanation for it.


  • #2
    Re: AD Nested Groups not always receiving permissions

    Does the problem persist even after the user has logged off and back on again? (Changes in group memberships require a new access token to be issued to the user session, and that only happens during authentication.)

    Resolving cross-domain references in Universal Groups involve both the DC holding the Infrastructure Master FSMO role and a Global Catalog DC. Are both these services available and working in the domains where the user account and the file server resides?


    • #3
      Re: AD Nested Groups not always receiving permissions

      So you find that it has never worked for the problem users or intermittently stops working?