Windows 10: NTFS permissions, AD groups, and use of VPN... Unexpected behavior

I have a question I need help to understand. I've been in IT for 20+ years. It has always been my understanding that when adding a user to a new Active Directory group, that group membership is not picked up until the user logs off the machine and logs back on.


Further, this is required to refresh the user's security token so that access granted via use of this group can be allowed, for example to file servers.


As part of my administration, any time I add a user to a group, I instruct them to log off/back on, and everything works as expected.


Today I ran into something I can't explain. With the time of COVID and everyone working from home and over VPN, we've had numerous issues regarding the circumstances above, as our user's VPN connections occur AFTER logon, which means they can never pick up the new security token to reflect their new group memberships.


We've had to resort to work arounds such as using tools like klist /purge or ending task on Explorer, issuing a runas on a new instance of explorer and specifying the user's AD account/password to force them to pick up the new token while the VPN is connected.


This concept was recently challenged as unnecessary. After performing more testing myself, I am astounded by my findings and thoroughly confused.


I have added myself to a new group tied to a file share I currently do not have access to. On my in-office desktop machine, that which I have not logged off yet, and as such I still do not have access to the share. This is expected.


However on my laptop, I disconnected VPN, logged off, logged back on, and then reconnected VPN, and magically I have access to this share. HOW?! I have confirmed through "whoami /groups" that I still do not have the token/membership to this group, yet some how I'm authorized to access this share. I do not understand how this is possible!


Please help me understand.

:)

 

xp ntfs permissions erased - help!

NEVER, ever, remove FULL CONTROL permissions in the Access Control Lists/rights priveleges from:

• Administators Group

• YOUR local Administrator User

• SYSTEM

on NTFS rights on your disks (via Explorer.exe rightclick properties menu, security tab) that use that filesystem, OR in the REGISTRY either, via rightclick on HIVES/KEYS permissions popup menu options...

(Sure way to lock yourself out, period, & I have done it myself early on w/ NTFS filesystems &/or the Registry before... only way to learn sometimes, is making mistakes!)

* Keep this in mind, those of you that start experimenting w/ security @ these 2 levels!

APK

P.S.=> Leaving them @ FULL POWER, in both areas, usually 9/10 times allows you to get back into your rig (logging on as your LOCAL ADMINISTRATOR USER, to fix it), & make alterations to rights/acl's as needed, to "get it right", eventually... especially when you're still learning/experimenting! apk

 

Is this comment regarding NTFS Permissions backwards or is it just me?

So, I'm studying for the CompTIA A+ Core 2 exam and I get this explanation about how NTFS Permissions work. Here it is:

"Both NTFS and share permissions can be assigned to users and groups."

It sounds a little bit backwards to me. Does one actually assign NTFS and share permissions to users and groups? Or is it more accurate to say that users and groups can be assigned to NTFS and Share permissions?

The users and the groups get added to ACL lists. NTFS permissions do not get added to users or groups.

I'm not trying to be a grammar nazi here. I understand what they're trying to teach. But having taken logic in the past I know that you can't just swap word positions interchangeably in every circumstance and not affect the meaning of the sentence.

Am I right or wrong here?

Windows local security policies work in much the same way. I used to think that users and groups had local security policies attached to the users or the groups. But it's the other way around. Users and Groups are assigned to security policy rules.

 

Vpn ( trusted Vpn)

Hi everyone.
I am not an expert about Vpn and that's why I would like to know if someone could list me a few trusted Vpns, I would really appreciate any suggestion/ advice.

Thanks.