Thursday, September 3, 2015

windows - Why does accessing a folder via UNC path share not work but mapping the same path as a drive does?




I have two domains, PRIMARY and EXTERNAL. EXTERNAL has a one-way outgoing trust to PRIMARY so that PRIMARY's users can authenticate in EXTERNAL. Both domains have Windows Server 2008 DCs running at the Windows Server 2003 compatibility level. PRIMARY users are generally stripped of their authentication privileges in EXTERNAL (including PRIMARY domain admins) but the few users with explicit access get the authentication privileges granted.



The EXTERNAL domain controller has a share called Projects on which everyone has full access. The folder is then locked down with ACLs to only allow a few of EXTERNAL's administrative groups. A few levels down in this folder hierarchy, there is a folder where a user (TESTUSER) in PRIMARY is given modify access. The UNC folder path to this folder is \\EXTERNAL-DC\Projects\A\B\C\Target.



When PRIMARY\TESTUSER is logged into a PRIMARY domain-mapped computer with Windows 7, trying to go directly to the path does not work. ("[unc path][new line]The specified path does not exist. Check the path, and then try again.") However, mapping the folder with the exact same path as a drive works, and the appropriate privileges apply (files can be created, etc).



What can I do to enable the UNC path to work? What causes the discrepancy?


Answer



I presume you map the drive to the entire path. (E.g "net use X: \....\Target") ?




The UNC doesn't work because the users need read-access to each folder in the UNC path in order to traverse the path.



Mapping to the end-point doesn't require this.
(The access-rights on the parent folders are not evaluated in this case. Only the folder(s) that the user actually "sees".)



Weird ? Yes, but that is the way Microsoft designed this.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...