Access to shared folder works fine in all Windows executables, except in cmd.exe

Question

Hi all!

Due to a very particular and infrequent situation in a legacy system (an old Delphi fat client) we discovered that our domain is applying policies that lead to the following behavior:

• Permissions on file server: \server\share has: Share Permissions -> Everyone: Full Control/ NTFS (Security) Permissions -> ExampleReadOnlyUserGroup: Read-Only.
• if access to \server\share is done through File Explorer, run.exe or Powershell with a user who is member of ExampleReadOnlyUserGroup, everything works as expected
• if access to the same UNC is done via command prompt (cmd.exe), the "Access is denied" error occurs
• still within the same prompt, if I map UNC as a network drive and access the drive (lets say: dir Z:), it works as expected. But, even after mapping, if I try a dir \server\share the access denied error still occurs.
• only if I grant Full Control access in NTFS permissions to ExampleReadOnlyUserGroup in the shared folder, the dir \server\share starts to work (write access doesn't, only Full).

My suspicion that the problem has to do with cmd.exe and GPO restriction is that the last time this procedure was performed by the application was before we migrated to a new domain that has more restrictive GPOs (based on DoD GPOs). I was able to isolate the cmd.exe issue because we know that the code instantiates cmd.exe to perform tasks using UNC. We didn't notice before that we were unable to perform UNC operations via prompt because it is no longer usual for us and all our older scripts were already converted to Powershell a long time ago. This behaviour occours when try to access any server in domain from any workstation with any user, not only in this particular application share. Only user have Full Access he/she can access the share.

Another curious fact is that using pushd or using "net use" without specifying a drive letter (i.e. net use \server\share) also gives access denied on both the drive and the UNC.

Changing the application code is unfeasible, as the software house no longer exists.

Any sugetion? Thanx in advance.

Answer 1

Hello Thiago Duarte2,

Thank you for posting in Microsoft Community forum.

1.What did you mean restrictive GPOs (based on DoD GPOs)?
2.Do you know the settings within restrictive GPOs (based on DoD GPOs)?
3.Could you find what setting/settings within restrictive GPOs (based on DoD GPOs) that controls the problem? If so, you can try to remove/delete this setting and check if it helps.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Hi Daisy!

Thank you for your time.

1.What did you mean restrictive GPOs (based on DoD GPOs)?

I meant we are using less default options on GPOs than on previous Domain. About DoD I meant we use them (https://public.cyber.mil/stigs/gpo/) as reference to GPOs on this new domain.

2.Do you know the settings within restrictive GPOs (based on DoD GPOs)?

I understand them reasonably well, but I really can't figurate out what could deny to access UNC thought cmd.exe and allow map it with net use. If anyone ask me how let a user use cmd.exe and let him/ her to map a drive using net use but deny to do a dir, copy etc to UNC I really don't know how achive it. By the way, I google it and didn't find answer.

3.Could you find what setting/settings within restrictive GPOs (based on DoD GPOs) that controls the problem? If so, you can try to remove/delete this setting and check if it helps.

This is the point; I cant find it to try remove/ delete.

Thank you again.

Answer 3

Hello Thiago Duarte2,

Thank you for your reply.

Because it is a third-party GPO, we do not know much about it, as mentioned in the link, I suggest you can try to test in your similar lab and try to find the which setting causes the issue.

Best Regards,
Daisy Zhou

Answer 4

Hi again!

They aren't exaclty third-party GPO in the meaning of custom admx templates (moreover they have some custom admx but I checked them and nothing to do with the problem)... they are the default templates with predefinied settings.

Answer 5

Hello Thiago Duarte2,

Thank you for your reply.

Did the issue occur on all the domain users and all the domain computers?

I am sorry, maybe I cannot help you find the specific setting that caused the issue, because I have no such similar environment as you. However, I can give you some suggestions, then you can try to check if it helps.

On one test user or one test machine (because we do not know if the user setting or computer setting caused the issue).

Would you please check if you remove/delete restrictive GPOs (based on DoD GPOs) on one user or on one computer, then check if the issue persists.

If you remove/delete restrictive GPOs (based on DoD GPOs), the issue disappears.
Can we export the user settings and the computer settings in your new domain?

Not sure if the gpresult including restrictive GPOs (based on DoD GPOs).

For checking Computer Configuration within gpresult, we can follow steps below.

Logon this machine using administrator account.

Open CMD (run as Administrator).

Type gpresult /h C:\gpo.html and click Enter.

Open gpo.html and check gpo setting under "Computer Details".

For checking User Configurations within gpresult, we can follow steps below.

Logon the machine using normal domain user account.

Create a folder named F1.

Open CMD (do not run as Administrator).

Type gpresult /h C:\F1\gpo.html and click Enter.

Open gpo.html and check gpo setting under "User Details".

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou