Accessing Resources
Flow of resource access is what happens when a user tries to access any Windows 2000/XP Server or Windows Server 2003 object. The object can be a share, a file, or a network printer. By understanding resource access, you can more effectively troubleshoot access problems.
As stated earlier, when a user logs on to a Windows 2000/XP Server or Windows Server 2003 computer, an access token is created. The access token is created only at logon. The access token identifies the user and any groups that the user belongs to. If the user is added to a group after they have already logged on, the user has to log off and log on again in order for the access token to be updated.
When the user attempts to access a resource, Windows checks the Access Control List (ACL), which identifies the users and groups that can access the resource. The ACL is part of the object and determines whether the user has permission to access the resource from a user or group permission assignment.
If the user is on the ACL, the system checks the Access Control Entries (ACE) to see which permissions the user should be granted based on user and group assignments. If the user has a Read-Deny listed in the ACE, Windows will not even check for other Read permissions.
| Tip | A common error in access assignment occurs when a user fails to log off and then log on again before accessing a resource for which they have a new permission. Whenever you make new group assignments, you should advise users to log off and log on again. Many users do not realize that this is required to update the user's access token with the new group assignment. |
|
|
