Hi all,
I have a question that someone can hopefully provide some resolution to.
---
Scenario (Please notice there are 2 different domains (A & B):
1) I create a Global Group in "Domain A" called "GG_A"
2) I add a user from "Domain A" called "USER_A" to "GG_A"
3) I add "GG_A" to a shared resource in "Domain B"
4) I instruct "USER_A" to log off of their workstation and log back in.
At this point, when "USER_A" logs back in, their security token will reflect their membership in "GG_A". They are now able to successfully access the shared resource in "Domain B" which has the "GG_A" in the ACL.
---
Problem Scenario:
I understand that it is against best practices to use Global Groups to assign permissions to local resources. To conform to best practices, I do the following:
1) In "Domain B", I create a Domain Local Group titled "DLG_B"
2) I add "GG_A" as a member of "DLG_B"
3) I re-permission the resource in "Domain B" to remove the ACE referencing "GG_A" and replace that with an ACE that references "DLG_B"
---
The Problem:
1) As soon as I re-permission the resource in "Domain B", "USER_A" instantly loses access to the resource (Access Denied).
2) If "USER_A" logs off and logs back on, access is restored and everyone is happy.
---
The Question:
If "USER_A" already has membership in "GG_A" in their access token, what difference does it make if that group is then made a member of a different group, which is then assigned as an ACE on a resource?
More to the point, why does access break and why is it restored again when the user recycles their access token, even though their membership in "GG_A" never changed.
Is it because the resource is in a different domain? Is the global catalog somehow involved? Does the SID of the new DLG_B need to be added to the token?
Any insight would be greatly appreciated!