Discussion:
windows 7 - syn issue
(too old to reply)
p***@community.nospam
2009-05-19 17:41:23 UTC
Permalink
Hi all,

I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save files OK.

Any ideas?
p***@community.nospam
2009-05-21 17:18:47 UTC
Permalink
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.

For example:

\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem

\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED

Any ideas?
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save files OK.
Any ideas?
DaveMills
2009-05-24 22:01:50 UTC
Permalink
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have

domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.

This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.

If you open C:\Users on the DFS server you will see the folder "John" this is
the re parse point and if you try to open it you cannot because it is not a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse point info.
Once this info has been read the client can redirect to the target share. The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.

It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use ABE to
control which links will be displayed to users.

This would be true whatever the client XP, Vista and I presume Windows 7. It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save files OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
p***@community.nospam
2009-05-27 17:05:38 UTC
Permalink
Few questions:

1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?

2. Here is my setup:

I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.

\\domain.local\DFS - root namespace

\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers

NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL

SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL

\\domain.local\DFS\Users - dfs folder

\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder


NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only

SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read

Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John" this is
the re parse point and if you try to open it you cannot because it is not a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse point info.
Once this info has been read the client can redirect to the target share. The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use ABE to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows 7. It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save files OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
DaveMills
2009-05-28 10:22:58 UTC
Permalink
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so have no
experience.
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can then put
files in the DFS root instead of the targets which you may not want, i.e. save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder that are the
targets. Am I correct?
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.

Now I have no idea why Win7 has a problems with all this. I sure hope an answer
is found as I wish to use Win7 once it goes gold and this issue would be a real
problem. Please let us know if you find the answer.
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John" this is
the re parse point and if you try to open it you cannot because it is not a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse point info.
Once this info has been read the client can redirect to the target share. The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use ABE to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows 7. It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save files OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
p***@community.nospam
2009-06-01 15:08:01 UTC
Permalink
See below my responses with [PR].
Post by DaveMills
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so have no
experience.
[PR] - yea this is going to be an issue with W7 if this doesnt work.
Post by DaveMills
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can then put
files in the DFS root instead of the targets which you may not want, i.e. save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
[PR] - I changed it to FULL recently to see if that resolves the W7 issue.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
[PR] - OK.
Post by DaveMills
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder that are the
targets. Am I correct?
[PR] - Correct.
Post by DaveMills
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.
Now I have no idea why Win7 has a problems with all this. I sure hope an answer
is found as I wish to use Win7 once it goes gold and this issue would be a real
problem. Please let us know if you find the answer.
[PR] - I hope I find the answer. I will post when I do.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John"
this
is
the re parse point and if you try to open it you cannot because it is
not
a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse
point
info.
Once this info has been read the client can redirect to the target
share.
The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use ABE to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows
7.
It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save
files
OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
p***@community.nospam
2009-06-03 17:11:54 UTC
Permalink
OK, I dug a little deeper and found some additional interesting results:

One of the folder targets on the dfs file share is CORPVS01.

If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
able to copy files to that location, but everytime I try to open a file
(Word, Excel, PDF etc.) I get an access denied error.

Now however if I access the share via
\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.

Any ideas??
Post by p***@community.nospam
See below my responses with [PR].
Post by DaveMills
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so have no
experience.
[PR] - yea this is going to be an issue with W7 if this doesnt work.
Post by DaveMills
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can then put
files in the DFS root instead of the targets which you may not want, i.e. save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
[PR] - I changed it to FULL recently to see if that resolves the W7 issue.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
[PR] - OK.
Post by DaveMills
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder that are the
targets. Am I correct?
[PR] - Correct.
Post by DaveMills
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.
Now I have no idea why Win7 has a problems with all this. I sure hope an answer
is found as I wish to use Win7 once it goes gold and this issue would be a real
problem. Please let us know if you find the answer.
[PR] - I hope I find the answer. I will post when I do.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John"
this
is
the re parse point and if you try to open it you cannot because it is
not
a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse
point
info.
Once this info has been read the client can redirect to the target
share.
The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use
ABE
to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows
7.
It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save
files
OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
DaveMills
2009-06-15 05:00:13 UTC
Permalink
Sorry fro delay, been on vacation.
Post by p***@community.nospam
One of the folder targets on the dfs file share is CORPVS01.
If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
able to copy files to that location, but everytime I try to open a file
(Word, Excel, PDF etc.) I get an access denied error.
Now however if I access the share via
\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.
Any ideas??
On the face of it this looks like a problem with simple sharing not DFS but I
think you have been changing the names to hide the real names. I did once get
into a lot of trouble when I first users W2k DFS and used the same name for the
DSF root as I had for and existing file share on the DFS server. I cannot
remember the details but the name space became very confused and so sold the
problem I had to change the names everywhere and could never reuse the old share
name without problems. This was in a test lab so I eventually abandoned it and
have been careful not to repeat the name conflict again.
Post by p***@community.nospam
Post by p***@community.nospam
See below my responses with [PR].
Post by DaveMills
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so have no
experience.
[PR] - yea this is going to be an issue with W7 if this doesnt work.
Post by DaveMills
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can then put
files in the DFS root instead of the targets which you may not want, i.e. save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
[PR] - I changed it to FULL recently to see if that resolves the W7 issue.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
[PR] - OK.
Post by DaveMills
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder that are the
targets. Am I correct?
[PR] - Correct.
Post by DaveMills
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.
Now I have no idea why Win7 has a problems with all this. I sure hope an answer
is found as I wish to use Win7 once it goes gold and this issue would be a real
problem. Please let us know if you find the answer.
[PR] - I hope I find the answer. I will post when I do.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John"
this
is
the re parse point and if you try to open it you cannot because it is
not
a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse
point
info.
Once this info has been read the client can redirect to the target
share.
The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use
ABE
to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows
7.
It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save
files
OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
p***@community.nospam
2009-06-16 15:41:49 UTC
Permalink
Yea, I have tried every possibility. Weird thing is I have another Windows
XP machine and I dont have any problems on it.

It almost seems like when Windows 7 tries to open a file it needs
permissions to all the parent folders??

\\servername\sharename\username\My Documents - the user has full access to
only the user's folder and any child folders below it.

Could this be the problem? All other file shares we have that are non My
Documents related work fine.

Thanks!
Post by DaveMills
Sorry fro delay, been on vacation.
Post by p***@community.nospam
One of the folder targets on the dfs file share is CORPVS01.
If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
able to copy files to that location, but everytime I try to open a file
(Word, Excel, PDF etc.) I get an access denied error.
Now however if I access the share via
\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.
Any ideas??
On the face of it this looks like a problem with simple sharing not DFS but I
think you have been changing the names to hide the real names. I did once get
into a lot of trouble when I first users W2k DFS and used the same name for the
DSF root as I had for and existing file share on the DFS server. I cannot
remember the details but the name space became very confused and so sold the
problem I had to change the names everywhere and could never reuse the old share
name without problems. This was in a test lab so I eventually abandoned it and
have been careful not to repeat the name conflict again.
Post by p***@community.nospam
Post by p***@community.nospam
See below my responses with [PR].
Post by DaveMills
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so
have
no
experience.
[PR] - yea this is going to be an issue with W7 if this doesnt work.
Post by DaveMills
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can
then
put
files in the DFS root instead of the targets which you may not want,
i.e.
save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
[PR] - I changed it to FULL recently to see if that resolves the W7 issue.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
[PR] - OK.
Post by DaveMills
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder
that
are the
targets. Am I correct?
[PR] - Correct.
Post by DaveMills
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.
Now I have no idea why Win7 has a problems with all this. I sure hope
an
answer
is found as I wish to use Win7 once it goes gold and this issue would
be
a real
problem. Please let us know if you find the answer.
[PR] - I hope I find the answer. I will post when I do.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders
but
are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client
reads
this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John"
this
is
the re parse point and if you try to open it you cannot because it is
not
a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse
point
info.
Once this info has been read the client can redirect to the target
share.
The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use
ABE
to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows
7.
It may
be just the Windows 7 user that does not have read permission to the
re
parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the
target
roots
of the DFS) then everything works fine. I am able to open and save
files
OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
p***@community.nospam
2009-06-16 15:41:49 UTC
Permalink
Yea, I have tried every possibility. Weird thing is I have another Windows
XP machine and I dont have any problems on it.

It almost seems like when Windows 7 tries to open a file it needs
permissions to all the parent folders??

\\servername\sharename\username\My Documents - the user has full access to
only the user's folder and any child folders below it.

Could this be the problem? All other file shares we have that are non My
Documents related work fine.

Thanks!
Post by DaveMills
Sorry fro delay, been on vacation.
Post by p***@community.nospam
One of the folder targets on the dfs file share is CORPVS01.
If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
able to copy files to that location, but everytime I try to open a file
(Word, Excel, PDF etc.) I get an access denied error.
Now however if I access the share via
\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.
Any ideas??
On the face of it this looks like a problem with simple sharing not DFS but I
think you have been changing the names to hide the real names. I did once get
into a lot of trouble when I first users W2k DFS and used the same name for the
DSF root as I had for and existing file share on the DFS server. I cannot
remember the details but the name space became very confused and so sold the
problem I had to change the names everywhere and could never reuse the old share
name without problems. This was in a test lab so I eventually abandoned it and
have been careful not to repeat the name conflict again.
Post by p***@community.nospam
Post by p***@community.nospam
See below my responses with [PR].
Post by DaveMills
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so
have
no
experience.
[PR] - yea this is going to be an issue with W7 if this doesnt work.
Post by DaveMills
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can
then
put
files in the DFS root instead of the targets which you may not want,
i.e.
save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
[PR] - I changed it to FULL recently to see if that resolves the W7 issue.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
[PR] - OK.
Post by DaveMills
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder
that
are the
targets. Am I correct?
[PR] - Correct.
Post by DaveMills
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.
Now I have no idea why Win7 has a problems with all this. I sure hope
an
answer
is found as I wish to use Win7 once it goes gold and this issue would
be
a real
problem. Please let us know if you find the answer.
[PR] - I hope I find the answer. I will post when I do.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders
but
are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client
reads
this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John"
this
is
the re parse point and if you try to open it you cannot because it is
not
a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse
point
info.
Once this info has been read the client can redirect to the target
share.
The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use
ABE
to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows
7.
It may
be just the Windows 7 user that does not have read permission to the
re
parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the
target
roots
of the DFS) then everything works fine. I am able to open and save
files
OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
p***@community.nospam
2009-06-03 17:11:54 UTC
Permalink
OK, I dug a little deeper and found some additional interesting results:

One of the folder targets on the dfs file share is CORPVS01.

If I access the share directly i.e. \\corpvs01\Users\param\My Documents I am
able to copy files to that location, but everytime I try to open a file
(Word, Excel, PDF etc.) I get an access denied error.

Now however if I access the share via
\\corpvs01.mydomain.local\Users\param\My Documents everything works OK.

Any ideas??
Post by p***@community.nospam
See below my responses with [PR].
Post by DaveMills
Post by p***@community.nospam
1. This is working fine for Windows XP clients. So why would permissions
need to be any different for Windows 7 clients?
Sorry, I did not notice this. I have only just started trying W7 so have no
experience.
[PR] - yea this is going to be an issue with W7 if this doesnt work.
Post by DaveMills
Post by p***@community.nospam
I have 3 file servers that host not only the file shares but also the DFS
Roots. The 3 file servers are in 3 different AD Sites (based on network
subnet) and so the concept is clients get re-directed to the file server
closest to them in their site.
\\domain.local\DFS - root namespace
\\server1\DFS \\server2\DFS \\server3\DFS - namespace servers
NTFS Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
Seems OK, Having Domain User - FULL can cause problems as a user can then put
files in the DFS root instead of the targets which you may not want, i.e. save
word.doc to \\domain.local\dfs instead of \\domain.local\dfs\Users\xxxx
[PR] - I changed it to FULL recently to see if that resolves the W7 issue.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for DFS root folder on each of the namespace servers -
Administrators - FULL, Domain Admins - FULL, Domain Users - FULL, Everyone -
Read, System - FULL
\\domain.local\DFS\Users - dfs folder
I would call this the DFS Link, i.e. not a folder but a reparse point.
[PR] - OK.
Post by DaveMills
Post by p***@community.nospam
\\server1\Users \\server2\Users \\server3\Users - folder targets for Users
DFS Folder
This is not a DFS folder at all but simply the normal shared folder that are the
targets. Am I correct?
[PR] - Correct.
Post by DaveMills
Post by p***@community.nospam
NTFS Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Creator Owner - FULL - Subfolder & Files Only,
Domain Users - Traverse Folder/Execute File, List Folder/Read Data, Read
Attributes, Create Folders/Append Data - This Folder Only
Seems OK, Users can create folders then have F/C as the owners.
Now I have no idea why Win7 has a problems with all this. I sure hope an answer
is found as I wish to use Win7 once it goes gold and this issue would be a real
problem. Please let us know if you find the answer.
[PR] - I hope I find the answer. I will post when I do.
Post by DaveMills
Post by p***@community.nospam
SHARE Permissions for Users folder on each folder target server - Domain
Admins - FULL, System - FULL, Domain Users - FULL, Everyone - Read
Thanks!!
Post by DaveMills
Post by p***@community.nospam
OK dug a little deeper and the issues appears to be DFS. I can browse
directly to the target folder on either of the 2 target servers and open
files fine. If however I try to browse via the dfs based name share then I
get an access denied.
\\server1\users\param\My Documents\test.doc - no problem
\\server2\users\param\My Documents\test.doc - no problem
\\domain.local\users\param\My Documents\test.doc - ACCESS DENIED
Any ideas?
The DFS root folder will contain the links. These look like folders but are re
parse points that point to the sever unc names. So I might have
domain.local/users/john --> \\server1\users\john
where domain.local/users is the DFS root and john is the re parse point.
This is accessed as \\domain.local\users\john and when the client reads this it
retrieves the link destination and then opens \\server\users\john.
If you open C:\Users on the DFS server you will see the folder "John"
this
is
the re parse point and if you try to open it you cannot because it is
not
a
folder and can only be open via its UNC name. However it does have NTFS
permissions and these must allow the end user to "read" the re parse
point
info.
Once this info has been read the client can redirect to the target
share.
The
target share also has NTFS permissions and these(plus the share permissions)
determine what the user can do.
It is enough to simply grant "Everyone" read on the re parse point although you
may wish to use different permissions, especially if you want to use
ABE
to
control which links will be displayed to users.
This would be true whatever the client XP, Vista and I presume Windows
7.
It may
be just the Windows 7 user that does not have read permission to the re parse
point.
Post by p***@community.nospam
Post by p***@community.nospam
Hi all,
I have a workstation client running Windows 7 that is having difficulty
opening any documents from the My Documents folder. We are running Windows
2003 SP2 Domain Controller that has all the users My Documents re-directed
via GPO to a DFS based file share. I have verified all the NTFS & Share
permissions are correct. All other clients (Windows XP) have no problems.
However the Windows 7 client cannot open any document (Word, Excel, PDF,
Text etc) and gets an "Access Denied" message. What is weird is if I
navigate directly to the actual server file share (one of the target roots
of the DFS) then everything works fine. I am able to open and save
files
OK.
Any ideas?
--
Dave Mills
There are 10 types of people, those that understand binary and those
that
don't.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Continue reading on narkive:
Loading...