What is the minimum action required in order to have access to a newly authorized server folder

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I hope I'm at the right place (right stack exchange website). If not please tell me the right one.



I got new rights on a folder on a Windows server by being added to Active Directory Group for which I didn't had access.



But although I had rights, I was not able to access the folder. I had to logout/login in order for me to have access.



Why so? If it is the server that authorize me according to who I am, then why rebooting my machine (or logoff/login) is required to have access to that folder?



What is the minimum action to do to have access to that folder? Do we absolutely have to logoff/login ?










share|improve this question

























    up vote
    1
    down vote

    favorite












    I hope I'm at the right place (right stack exchange website). If not please tell me the right one.



    I got new rights on a folder on a Windows server by being added to Active Directory Group for which I didn't had access.



    But although I had rights, I was not able to access the folder. I had to logout/login in order for me to have access.



    Why so? If it is the server that authorize me according to who I am, then why rebooting my machine (or logoff/login) is required to have access to that folder?



    What is the minimum action to do to have access to that folder? Do we absolutely have to logoff/login ?










    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I hope I'm at the right place (right stack exchange website). If not please tell me the right one.



      I got new rights on a folder on a Windows server by being added to Active Directory Group for which I didn't had access.



      But although I had rights, I was not able to access the folder. I had to logout/login in order for me to have access.



      Why so? If it is the server that authorize me according to who I am, then why rebooting my machine (or logoff/login) is required to have access to that folder?



      What is the minimum action to do to have access to that folder? Do we absolutely have to logoff/login ?










      share|improve this question













      I hope I'm at the right place (right stack exchange website). If not please tell me the right one.



      I got new rights on a folder on a Windows server by being added to Active Directory Group for which I didn't had access.



      But although I had rights, I was not able to access the folder. I had to logout/login in order for me to have access.



      Why so? If it is the server that authorize me according to who I am, then why rebooting my machine (or logoff/login) is required to have access to that folder?



      What is the minimum action to do to have access to that folder? Do we absolutely have to logoff/login ?







      permissions kerberos login directory logoff






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 5 hours ago









      Eric Ouellet

      1388




      1388




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          A old text, but please see How Security Groups are Used in Access Control as it explain the process. The token is refreshed when your logoff/login happen



          When a user or group is given permission to access a resource, such as a printer or a file share, the SID of the user or group is added to the access control entry (ACE) defining the granted permission in the resource's discretionary access control list (DACL). In Active Directory Domain Services, each object has an nTSecurityDescriptor attribute that stores a DACL defining the access to that particular object or attributes on that object. For more information about setting access control on objects in Active Directory Domain Services, see Controlling Access to Objects in Active Directory Domain Services.



          When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:



          User SID.



          SIDs of all global and universal security groups that the user is a member of.



          SIDs of all nested global and universal security groups.



          Every process executed on behalf of this user has a copy of this access token.



          When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:



          SIDs for all domain local groups in the target domain that the user is a member of.
          SIDs for all machine local groups on the target computer that the user is a member of.
          The service uses this new access token to evaluate access to the resource. If a SID in the access token appears in any ACEs in the DACL, the service gives the user the permissions specified in those ACEs.






          share|improve this answer



























            up vote
            3
            down vote














            But although I had rights, I was not able to access the folder. I had
            to logout/login in order for me to have access.




            That is the expected behavior.




            What is the minimum action to do to have access to that folder? Do we
            absolutely have to logoff/login?




            AFAIK, yes.






            share|improve this answer
















            • 1




              Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
              – Eric Ouellet
              4 hours ago






            • 1




              Glad to help...
              – joeqwerty
              4 hours ago

















            up vote
            1
            down vote













            Just as additional information...



            From Perphenazine at ars technica




            Depends on what you mean by
            'permissions'. Do you mean NTFS permissions? If so, they do take
            effect immediately. Do you mean permissions against an AD object? That
            requires a replication interval (a few minutes). Do you mean you
            changed group membership? That always requires a logoff/logon as group
            membership is appended to the kerberos ticket received at
            authentication.







            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "2"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: true,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f932623%2fwhat-is-the-minimum-action-required-in-order-to-have-access-to-a-newly-authorize%23new-answer', 'question_page');

              );

              Post as a guest






























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              1
              down vote



              accepted










              A old text, but please see How Security Groups are Used in Access Control as it explain the process. The token is refreshed when your logoff/login happen



              When a user or group is given permission to access a resource, such as a printer or a file share, the SID of the user or group is added to the access control entry (ACE) defining the granted permission in the resource's discretionary access control list (DACL). In Active Directory Domain Services, each object has an nTSecurityDescriptor attribute that stores a DACL defining the access to that particular object or attributes on that object. For more information about setting access control on objects in Active Directory Domain Services, see Controlling Access to Objects in Active Directory Domain Services.



              When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:



              User SID.



              SIDs of all global and universal security groups that the user is a member of.



              SIDs of all nested global and universal security groups.



              Every process executed on behalf of this user has a copy of this access token.



              When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:



              SIDs for all domain local groups in the target domain that the user is a member of.
              SIDs for all machine local groups on the target computer that the user is a member of.
              The service uses this new access token to evaluate access to the resource. If a SID in the access token appears in any ACEs in the DACL, the service gives the user the permissions specified in those ACEs.






              share|improve this answer
























                up vote
                1
                down vote



                accepted










                A old text, but please see How Security Groups are Used in Access Control as it explain the process. The token is refreshed when your logoff/login happen



                When a user or group is given permission to access a resource, such as a printer or a file share, the SID of the user or group is added to the access control entry (ACE) defining the granted permission in the resource's discretionary access control list (DACL). In Active Directory Domain Services, each object has an nTSecurityDescriptor attribute that stores a DACL defining the access to that particular object or attributes on that object. For more information about setting access control on objects in Active Directory Domain Services, see Controlling Access to Objects in Active Directory Domain Services.



                When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:



                User SID.



                SIDs of all global and universal security groups that the user is a member of.



                SIDs of all nested global and universal security groups.



                Every process executed on behalf of this user has a copy of this access token.



                When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:



                SIDs for all domain local groups in the target domain that the user is a member of.
                SIDs for all machine local groups on the target computer that the user is a member of.
                The service uses this new access token to evaluate access to the resource. If a SID in the access token appears in any ACEs in the DACL, the service gives the user the permissions specified in those ACEs.






                share|improve this answer






















                  up vote
                  1
                  down vote



                  accepted







                  up vote
                  1
                  down vote



                  accepted






                  A old text, but please see How Security Groups are Used in Access Control as it explain the process. The token is refreshed when your logoff/login happen



                  When a user or group is given permission to access a resource, such as a printer or a file share, the SID of the user or group is added to the access control entry (ACE) defining the granted permission in the resource's discretionary access control list (DACL). In Active Directory Domain Services, each object has an nTSecurityDescriptor attribute that stores a DACL defining the access to that particular object or attributes on that object. For more information about setting access control on objects in Active Directory Domain Services, see Controlling Access to Objects in Active Directory Domain Services.



                  When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:



                  User SID.



                  SIDs of all global and universal security groups that the user is a member of.



                  SIDs of all nested global and universal security groups.



                  Every process executed on behalf of this user has a copy of this access token.



                  When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:



                  SIDs for all domain local groups in the target domain that the user is a member of.
                  SIDs for all machine local groups on the target computer that the user is a member of.
                  The service uses this new access token to evaluate access to the resource. If a SID in the access token appears in any ACEs in the DACL, the service gives the user the permissions specified in those ACEs.






                  share|improve this answer












                  A old text, but please see How Security Groups are Used in Access Control as it explain the process. The token is refreshed when your logoff/login happen



                  When a user or group is given permission to access a resource, such as a printer or a file share, the SID of the user or group is added to the access control entry (ACE) defining the granted permission in the resource's discretionary access control list (DACL). In Active Directory Domain Services, each object has an nTSecurityDescriptor attribute that stores a DACL defining the access to that particular object or attributes on that object. For more information about setting access control on objects in Active Directory Domain Services, see Controlling Access to Objects in Active Directory Domain Services.



                  When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:



                  User SID.



                  SIDs of all global and universal security groups that the user is a member of.



                  SIDs of all nested global and universal security groups.



                  Every process executed on behalf of this user has a copy of this access token.



                  When the user attempts to access resources on a computer, the service through which the user accesses the resource will impersonate the user by creating a new access token based on the access token created at user logon time. This new access token will also contain the following SIDs:



                  SIDs for all domain local groups in the target domain that the user is a member of.
                  SIDs for all machine local groups on the target computer that the user is a member of.
                  The service uses this new access token to evaluate access to the resource. If a SID in the access token appears in any ACEs in the DACL, the service gives the user the permissions specified in those ACEs.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 4 hours ago









                  yagmoth555

                  10.6k31440




                  10.6k31440






















                      up vote
                      3
                      down vote














                      But although I had rights, I was not able to access the folder. I had
                      to logout/login in order for me to have access.




                      That is the expected behavior.




                      What is the minimum action to do to have access to that folder? Do we
                      absolutely have to logoff/login?




                      AFAIK, yes.






                      share|improve this answer
















                      • 1




                        Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
                        – Eric Ouellet
                        4 hours ago






                      • 1




                        Glad to help...
                        – joeqwerty
                        4 hours ago














                      up vote
                      3
                      down vote














                      But although I had rights, I was not able to access the folder. I had
                      to logout/login in order for me to have access.




                      That is the expected behavior.




                      What is the minimum action to do to have access to that folder? Do we
                      absolutely have to logoff/login?




                      AFAIK, yes.






                      share|improve this answer
















                      • 1




                        Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
                        – Eric Ouellet
                        4 hours ago






                      • 1




                        Glad to help...
                        – joeqwerty
                        4 hours ago












                      up vote
                      3
                      down vote










                      up vote
                      3
                      down vote










                      But although I had rights, I was not able to access the folder. I had
                      to logout/login in order for me to have access.




                      That is the expected behavior.




                      What is the minimum action to do to have access to that folder? Do we
                      absolutely have to logoff/login?




                      AFAIK, yes.






                      share|improve this answer













                      But although I had rights, I was not able to access the folder. I had
                      to logout/login in order for me to have access.




                      That is the expected behavior.




                      What is the minimum action to do to have access to that folder? Do we
                      absolutely have to logoff/login?




                      AFAIK, yes.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered 4 hours ago









                      joeqwerty

                      93.6k362146




                      93.6k362146







                      • 1




                        Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
                        – Eric Ouellet
                        4 hours ago






                      • 1




                        Glad to help...
                        – joeqwerty
                        4 hours ago












                      • 1




                        Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
                        – Eric Ouellet
                        4 hours ago






                      • 1




                        Glad to help...
                        – joeqwerty
                        4 hours ago







                      1




                      1




                      Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
                      – Eric Ouellet
                      4 hours ago




                      Although your answer is exactly what I expected, I chosen yagmoth555 answer because it give me more information on the reason why and help me better understand the mechanism. But thank you very much. Thumbs up!
                      – Eric Ouellet
                      4 hours ago




                      1




                      1




                      Glad to help...
                      – joeqwerty
                      4 hours ago




                      Glad to help...
                      – joeqwerty
                      4 hours ago










                      up vote
                      1
                      down vote













                      Just as additional information...



                      From Perphenazine at ars technica




                      Depends on what you mean by
                      'permissions'. Do you mean NTFS permissions? If so, they do take
                      effect immediately. Do you mean permissions against an AD object? That
                      requires a replication interval (a few minutes). Do you mean you
                      changed group membership? That always requires a logoff/logon as group
                      membership is appended to the kerberos ticket received at
                      authentication.







                      share|improve this answer
























                        up vote
                        1
                        down vote













                        Just as additional information...



                        From Perphenazine at ars technica




                        Depends on what you mean by
                        'permissions'. Do you mean NTFS permissions? If so, they do take
                        effect immediately. Do you mean permissions against an AD object? That
                        requires a replication interval (a few minutes). Do you mean you
                        changed group membership? That always requires a logoff/logon as group
                        membership is appended to the kerberos ticket received at
                        authentication.







                        share|improve this answer






















                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          Just as additional information...



                          From Perphenazine at ars technica




                          Depends on what you mean by
                          'permissions'. Do you mean NTFS permissions? If so, they do take
                          effect immediately. Do you mean permissions against an AD object? That
                          requires a replication interval (a few minutes). Do you mean you
                          changed group membership? That always requires a logoff/logon as group
                          membership is appended to the kerberos ticket received at
                          authentication.







                          share|improve this answer












                          Just as additional information...



                          From Perphenazine at ars technica




                          Depends on what you mean by
                          'permissions'. Do you mean NTFS permissions? If so, they do take
                          effect immediately. Do you mean permissions against an AD object? That
                          requires a replication interval (a few minutes). Do you mean you
                          changed group membership? That always requires a logoff/logon as group
                          membership is appended to the kerberos ticket received at
                          authentication.








                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 4 hours ago









                          Eric Ouellet

                          1388




                          1388



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f932623%2fwhat-is-the-minimum-action-required-in-order-to-have-access-to-a-newly-authorize%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Comments

                              Popular posts from this blog

                              What does second last employer means? [closed]

                              Installing NextGIS Connect into QGIS 3?

                              One-line joke