Отказ в доступе при доступе к SMB-файлу в Windows

В этой статье помогают устранить ошибку с отказом в доступе, которая возникает при доступе к файлу Блока сообщений сервера (SMB).

Оригинальная версия продукта: Windows Server 2012 R2, Windows 7 Пакет обновления 1
Исходный номер КБ: 3035936

Симптомы

При попытке получить доступ к определенной папке, расположенной на файлере сетевого устройства (NetApp) или Windows Server, который поддерживает SMB2 из системы Windows через протокол SMB Версии 2, доступ отклоняется. Эта проблема возникает в следующей версии Windows:

• Windows 8.1
• Windows Server 2012 R2
• Windows 8
• Windows Server 2012
• Windows 7
• Windows Server 2008 R2
• Windows Vista
• Windows Server 2008

Эта проблема не возникает, если отключить протокол SMB2 для клиента или использовать клиент Windows SMB, например Windows XP или Windows Server 2003.

Причина

Эта проблема возникает из-за того, что в целевой папке в SMB-папке отсутствуют записи управления доступом SYNCHRONIZE.

Решение

Чтобы устранить эту проблему, используйте утилиту ICACLS для набора нужных разрешений, содержащих бит Синхронизация.

Например, в командной подсказке введите следующую команду и нажмите кнопку ENTER:

Разделенный запятой список в скобки определенных прав:

• RC — управление чтением
• RD — каталог считываний данных и списков
• REA — расширенные атрибуты чтения
• RA — атрибуты чтения
• X — выполнение/обход
• S — Синхронизация

Устранение неполадок

Для проверки и устранения неполадок можно использовать следующие методы.

Убедитесь, что в файле NetApp установлен бит синхронизации в папке.

Сетевой след может показать ошибку DesiredAccess для процесса создания SMB2 в папке пакета Запрос и Ответ.

Средство AccessChk.exe доступно на сайте Windows Sysinternals для чтения параметров разрешений.

Например, выполните следующую команду:

Затем можно увидеть следующий результат, который показывает набор бита SYNCHRONIZE:

Заявление об отказе от ответственности за сведения о продуктах сторонних производителей

В этой статье упомянуты программные продукты независимых производителей. Корпорация Майкрософт не дает никаких гарантий, подразумеваемых и прочих, относительно производительности и надежности этих продуктов.

Access Denied when you access an SMB file share in Windows

This article helps fix the Access Denied error that occurs when you access a Server Message Block (SMB) file share.

Original product version: В Windows Server 2012 R2, Windows 7 Service Pack 1
Original KB number: В 3035936

Symptoms

When you try to access a specific folder that’s located on a Network Appliance (NetApp) Filer or a Windows Server that supports SMB2 from a Windows-based system through the SMB Version 2 protocol, the access is denied. This issue occurs in the following version of Windows:

• Windows 8.1
• Windows Server 2012 R2
• Windows 8
• Windows Server 2012
• Windows 7
• Windows Server 2008 R2
• Windows Vista
• Windows Server 2008

This issue doesn’t occur if you disable the SMB2 protocol on the client or use a Windows SMB client, such as Windows XP or Windows Server 2003.

Cause

This issue occurs because the target folder on the SMB share is missing the SYNCHRONIZE access control entries.

Resolution

To resolve this issue, use the ICACLS utility to set the desired permissions that contain the Synchronize bit.

For example, at a command prompt, type the following command, and then press ENTER:

A comma-separated list in parentheses of specific rights:

• RC — read control
• RD — read data/list directory
• REA — read extended attributes
• RA — read attributes
• X — execute/traverse
• S — Synchronize

Troubleshooting

You can use the following methods to verify and troubleshoot the issue.

Verify that the NetApp Filer has the Synchronize bit set on the folder.

A network trace can show the DesiredAccess error for the SMB2 CREATE process on the folder for the Request and Response packet.

The AccessChk.exe tool is available on Windows Sysinternals site for reading out the permission settings.

For example, run the following command:

Then, you can see the following result that shows the SYNCHRONIZE bit is set:

See the behavior of the SYNCHRONIZE bit on Windows SMB2 clients.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

SOLUTION: How to fix ‘Access Denied’ error with Windows 7 shares!!

Here’s how to fix Windows 7 Network Share Access Denied error!!

I got this error when trying to view Windows 7 files from my Xbox XBMC, Windows XP and other Windows 7 computers.
I had the same user names on my other computers as the main computer and still couldn’t access the files. I also had admin rights and setup the control panel’s Network & Sharing Center with the options on every other forum. None of that worked for me!

If you’ve tried every other method like turning password sharing off, file sharing on, etc. try this!

The problem I had was that there were too many users listed under the drive’s security tab.
This is not a thoroughly detailed description, but it should get you going if you have some advanced windows experience.

1. Right click on the hard drive/folder that you are trying to share and click on Properties
2. Click on the Security tab
3. On my computer I had some strange listings under the «Group or user names» box
4. You ‘should’ only have these listed:
   • Authenticated Users
   • SYSTEM
   • Administrators (-your comp\username)
   • Users (-your comp\username-)
   • CREATOR OWNER
   • Everyone
   • WMPNetworkSVC
   • *note: I may have missed a few important names as each folder has its own set
5. Any users with REALLY long names are fake. YOU need to remove those users from the list.Click the EDIT tab, click the name and click remove
6. Your computer may scan some files, let it finish.
7. Add any missing users you have to (such as CREATOR OWNER, Everyone. ones you think you may want/need)
8. Click OK and get out of every box, restart your computer and check to see if the problem is solved!

If it works for you, let me know! I was very frustrated when I couldn’t find a solution anywhere and just figured this out.

Now if I could only figure out why my video shares are so choppy.

Error when you try to access an administrative share on a Windows Vista-based computer from another Windows Vista-based computer that’s a member of a workgroup: Logon unsuccessful: Windows is unable to log you on

This article describes a logon unsuccessful behavior when you try to access an administrative share on a Windows Vista-based computer from another Windows Vista-based computer that’s a member of a workgroup.

Original product version: В Windows Vista
Original KB number: В 947232

Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure you’re running Windows Vista with Service Pack 2 (SP2). For more information, see this Microsoft web page: Support is ending for some versions of Windows.

Error message description

Consider the following scenario:

• You work on a Windows Vista-based computer that’s a member of a workgroup.
• From this computer, you try to access an administrative share that’s located on another Windows Vista-based computer.
• The computer that you try to access is a member of a workgroup or a member of a domain. For example, you try to access the C$ administrative share.
• When you’re prompted for your user credentials, you provide the user credentials of an administrative user account on the destination computer.

In this scenario, you receive the following error message:

Logon unsuccessful:
Windows is unable to log you on.
Make sure that your user name and password are correct.

If you try to map a network drive to the administrative share by using the Net Use command, you receive the following error message after you provide the correct credentials:

System error 5
has occurred. Access is denied.

Cause

By default, Windows Vista and newer versions of Windows prevent local accounts from accessing administrative shares through the network.

Resolution

To let users have access, we recommend that you create shares on the Windows Vista-based computer by using the appropriate permissions. If, for some reason, you can’t apply this resolution, you might want to try the workaround.

To share a folder on a Windows Vista-based computer that has file sharing enabled, follow these steps:

Click Start > Computer.

Locate the folder that you want to share.

Right-click the folder that you want to share, and then click Share.

If you have password protected sharing enabled, select which users can access the shared folder and their permission level. To let all users have access, select Everyone in the list of users. By default, the permission level is «Reader.» Users who have this permission level can’t change files or create new files in the share. To let a user change files, change folders, create new files, and create new folders, use the «Co-owner» permission level.

If you have password protected sharing disabled, select the Guest account or the Everyone account. This is the same as simple sharing in Windows XP.

Click Share > Done.

Workaround

To allow administrative share access in a workgroup for Windows, use the following workaround.

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

Click Start, type regedit in the Start Search box, and then press Enter.

If you’re prompted for an administrator password or for confirmation, type the password or provide confirmation.

Locate and then click the following registry subkey:

On the Edit menu, point to New, and then click DWORD (32-bit) Value.

Type LocalAccountTokenFilterPolicy to name the new entry, and then press Enter.

Right-click LocalAccountTokenFilterPolicy, and then click Modify.

In the Value data box, type 1, and then click OK.

Exit Registry Editor.

The LocalAccountTokenFilterPolicy entry in the registry can have a value of 0 or 1. These values set the behavior of the entry as follows:

• 0 = build a filtered token

This is the default value. The administrator credentials are removed. These credentials are required for remote administration of the print drivers.

• 1 = build an elevated token

This value enables the remote administration of the print drivers on a server within a workgroup.

Did this fix the problem?

Check whether the problem is fixed. If it’s fixed, you’re finished with this article. If it isn’t fixed, you can contact support.

Status

This behavior is by design.

More information

When the destination Windows Vista-based computer and the computer from which you want to access the administrative share are on the same domain, you can access the share by using domain administrator credentials.

You can’t access this administrative share if the destination Windows Vista-based computer is joined to a domain and you try to connect to it by using a computer that is joined to a workgroup. This is true even if you supply correct domain administrator credentials for the domain where the destination computer is located.

For more information about how to share folders or printers in Windows Vista, visit the following Microsoft Web site:

Getting Access is Denied when accessing Windows 7 share from Windows XP

I have a Windows 7 system that is in a Workgroup. I have shared the C root with a sharename called CDrive. I am trying to access this share with a Windows XP system that is enrolled in a Domain.

From the XP system command prompt, I call net use z: \\win7system\cdrive /user:myuser (myuser is an administrator account on Win7System). The net use completes successfully, however, when I try to access the shared drive I get a message «Access is denied». Why is this happenning and how can I correct it?

Note: I am able to access the pre-defined homegroup shares, but not the C Root share that I set up through WIndows Explorer.

I have seen other posts on similar sharing issues with Windows 7 and XP, but most seem to indicate that both the XP and Windows 7 system must belong in the same workgroup. What about if they do not like in my case?

Hello,
sorry for my English, but i have found answer to your question. Solution is realy easy just a one key in registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
create or modify 32-bit DWORD: LocalAccountTokenFilterPolicy
set the value to: 1

Thats all folks
Tom

58 people found this reply helpful

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

You can only use Homegroup with other Win7 computers. You’ll need to disable the Homegroup and use regular network sharing in your case.

In Windows 7, go to Control Panel>All Control Panel Items>Network and Sharing Center. Click on «Change advanced sharing settings».

Turn ON network discovery
Turn ON file and printer sharing
Turn ON sharing in the Public folder sharing section
Turn ON password protected sharing

Create matching user accounts and passwords on all machines. You do not need to be logged into the same account on all machines and the passwords assigned to each user account can be different; the accounts/passwords just need to exist and match on all machines. DO NOT NEGLECT TO CREATE PASSWORDS, EVEN IF ONLY SIMPLE ONES . If you wish a machine to boot directly to the Desktop (into one particular user’s account) for convenience, you can do this:

Start>Search box>type: netplwiz [enter]
Click on Continue (or supply an administrator’s password) when prompted by UAC

Uncheck the option «Users must enter a user name and password to use this computer». Select a user account to automatically log on by clicking on the desired account to highlight it and then hit OK. Enter the correct password for that user account (if there is one) when prompted. Leave it blank if there is no password (null).

For XP — Configure Windows to Automatically Login (MVP Ramesh) — http://windowsxp.mvps.org/Autologon.htm

If one or more of the computers on your network is XP Pro or Media Center, turn off Simple File Sharing (Folder Options>View tab).

In addition, sharing out the root of drives is not best practice since it is a security issue. The information from Michael Bell (MS) below is for Vista but is also applicable to Win7:

«When you share out the root of a drive in Vista, the UI only allows this through the advanced sharing option. When the advanced sharing option is used it only sets the share permissions. The actual permissions on a file share are a combination of Folder and Share permissions. In Vista the everyone group doesn not have permissions so when you connect without a password the system you can see the folders but not access them or possibly connect to the share but fail to open it.

1. Open Computer
2. Right click on the shared drive and select properties from the context menu
3. Select the Security Tab in the displayed properties sheet.

If you are connecting to the computer with no password then you are connecting with the guest account. In order to access the files on the drive, the everyone group needs to have access set here.»

MS-MVP — Elephant Boy Computers — Don’t Panic!