Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: NateKruser
NateKruser Author
User level: Level 1
0 points

Removing user from group in WGM not affecting AFP access

Originally a Share Point was only accessed by a group called 'Project Staff'. This group has Read-Write permission is granted by ACL.


I created a new group called 'Project Assistants', and gave it Read-Only access to the Share Point.


I looked at three accounts:

UserA, in 'Project Staff'.

UserB, in 'Project Assistants'.

UserC who had been removed from 'Project Staff', and added to 'Project Assistants'.


Effective Permissions Inspector shows:

UserA has the appropriate RW access.

UserB has the appropriate R only access.

UserC still has RW access instead of the expected Read-Only access.


I removed the ACL for 'Project Staff' from the Share Point as a test and looked the users again.

UserA, no access.

UserB and UserC, Read-Only.


When I added the 'Project Staff' access back to the Share Point, UserA and UserC again showed Read-Write access.


It seems that the AFP server is still treating UserC as though it was in the group 'Project Staff', which suggests that it's not seeing the updates to user accounts. However it is granting access to the new group 'Project Assistants'.


Any idea how I can get the AFP server to stop allowing access to accounts that have been removed from groups?

Mac OS X (10.6.8)

Posted on Sep 28, 2011 12:15 PM

Reply
1 reply
User profile for user: NateKruser
NateKruser Author
User level: Level 1
0 points

Sep 29, 2011 6:21 AM in response to NateKruser

I continuted some testing, and noticed in Server Manager, on the AFP server, that the list of users than can be dragged into the Effective Permissions Inspector lists each user's UID along with thier User Name.


I decided to change UserC's UID in WGM to see if it would update in that listing on the AFP server.


Not only did it change (after switching the listing to groups and back), but suddenly UserC was showing up in the Effective Permissions Inspector with the correct access.


It's a bit of a clunky workaround, but manageable for the time being. If a user's access to AFP shares is not affected when they are removed from a group in Workgroup Manager, try changing thier UID. It may cause the update to take effect.

Reply

Removing user from group in WGM not affecting AFP access

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up