SMB File Access Failures — NTFS/Share ACL, Kerberos Token, Offline Files Cache, and DFS-R Missing Data Triage
Users on domain-joined Windows clients report 'Access is denied', missing files, or save failures on SMB shares. Root causes span NTFS/share ACL misconfiguration, broken inheritance, stale Kerberos tokens after AD group changes, Kerberos token bloat exceeding MaxTokenSize, Offline Files (CSC) cache corruption, DFS-R ConflictAndDeleted/PreExisting placement, oplock/SMB lease contention, or EFS decryption failure. Resolution requires validating effective permissions with icacls/AccessChk, refreshing tokens, clearing CSC, and inspecting DFS-R health before restoring ACLs from a documented baseline.
Indicators
- 'Access is denied' when opening files or folders the user could previously access
- Files or folders appear missing from a share although present on the underlying volume
- Save/Save As fails with permission errors despite the user having read access
- Intermittent access failures beginning shortly after AD group membership changes
- Explorer shows stale or empty folder listings that refresh only after clearing the offline files cache
- DFS namespace path resolves to a target with different or outdated content than a peer replica
- Security event log records Event ID 4656/4663 access-denied entries for the affected user/path
Likely causes
- NTFS ACL changes removed a required group or broke inheritance on child objects
- Share-level permissions more restrictive than NTFS (effective permission is the intersection of both)
- AD group membership changes not yet reflected in the user's Kerberos ticket / access token (requires logoff/logon)
- Kerberos token bloat — SID/group count exceeds MaxTokenSize (default 48000 bytes), causing silent authentication degradation
- Offline Files (Client-Side Caching / CSC) cache corruption or unresolved sync conflicts shadowing server state
- DFS-R backlog, conflict, or PreExisting placement moving files to ConflictAndDeleted/PreExisting folders
- Exclusive file lock, oplock, or SMB lease held by another session preventing write access
- EFS-encrypted files where the user lacks the decryption certificate or DRA
- User is viewing a Volume Shadow Copy / Previous Version rather than live data
Diagnostic steps
-
Reproduce the failure as the affected user; capture the exact UNC path, error text, and operation (read/write/delete/list). Have them run 'whoami /groups > %temp%\groups.txt' from their session.Distinguish permission denial from missing-data, locking, or namespace resolution; confirm the token the user is actually presenting.
-
On the file server, inspect NTFS and share ACLs: 'icacls "D:\Shares\Path"' and 'Get-SmbShareAccess -Name <ShareName>'. Compare against a known-good sibling folder.Identify removed ACEs, broken inheritance, or explicit Deny entries overriding Allow.
-
Run 'accesschk.exe -accepteula -q -s DOMAIN\User "D:\Shares\Path"' or use Advanced Security Settings > Effective Access GUI.Compute the true effective permission set for the user, factoring share, NTFS, and group nesting.
-
Have the user sign out and back on (or run 'klist purge' then re-authenticate to the share). Recheck access.Rule out stale Kerberos tickets following recent AD group changes.
-
Check for token bloat: count groups with 'whoami /groups | find /c /v ""' and inspect Event ID 4625 / Netlogon for token-size warnings. Compare to server's MaxTokenSize.Detect Kerberos token exceeding buffer size — manifests as silent auth degradation.
-
Verify the file/folder actually exists on the underlying NTFS volume (local path, not via share). Inspect DFS-R state: 'dfsrdiag ReplicationState /member:<server>' and check the ConflictAndDeleted and PreExisting folders under 'D:\<Volume>\System Volume Information\DFSR\'.Detect 'missing data' caused by DFS-R conflicts rather than permissions.
-
On the client, clear Offline Files cache: run 'reg add HKLM\SYSTEM\CurrentControlSet\Services\CSC\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f' then reboot.Rule out a corrupt CSC cache masking the true server state.
-
On the file server, list open handles: 'Get-SmbOpenFile | Where-Object Path -like "*<filename>*"' or 'handle.exe -a <file>'.Identify in-use / oplock conditions blocking writes despite valid permissions.
-
Enable file-share auditing on the target path and re-test; review Security log Event IDs 4656, 4663, 4670.Capture the exact access mask requested vs granted, and any recent ACL modification.
Resolution path
- Back up current ACLs before changes: 'icacls "D:\Shares\Path" /save C:\Backup\path.acl /t /c'
- Restore correct NTFS ACLs from a known-good reference (parent inheritance or documented baseline). Re-enable inheritance: 'icacls "D:\Shares\Path" /inheritance:e /t'
- Ensure share permissions are at least as permissive as NTFS — typically Authenticated Users: Full Control at the share, with NTFS enforcing granularity: 'Grant-SmbShareAccess -Name <Share> -AccountName "Authenticated Users" -AccessRight Full -Force'
- Re-add the user to the appropriate AD security group; have them log off/on or run 'klist purge' to refresh the Kerberos token
- For token bloat: prune unnecessary group memberships; as a stopgap, set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize to 65535 (REG_DWORD) on affected file servers and reboot
- For missing data on DFS-R, inspect ConflictAndDeleted and PreExisting on each replication partner; restore required items and resolve the source of conflict (simultaneous edits, offline member)
- Clear client-side Offline Files cache via CSC FormatDatabase registry flag and reboot the client; then resync the share
- Release stuck file locks with 'Close-SmbOpenFile -Force' or restart the Server (LanmanServer) service in a maintenance window
- For EFS-protected files, restore or re-issue the user's EFS certificate, or use a configured Data Recovery Agent to decrypt
Prevention
- Standardise on group-based ACLs using the AGDLP model (Accounts → Global → Domain Local → Permissions); avoid direct user ACEs so membership changes propagate cleanly
- Enable object access auditing on sensitive shares (Event IDs 4656/4663/4670) with log forwarding to a SIEM
- Export and periodically snapshot ACL baselines: schedule 'icacls <path> /save <backup>.acl /t /c' for every share tree
- Monitor DFS-R health, backlog, and ConflictAndDeleted quota; alert on non-zero backlog aging beyond RPO
- Keep AD group memberships lean; enforce a MaxTokenSize standard (48000–65535) on all file servers and document the value
- Disable Offline Files on shares where it is not required to eliminate CSC as a failure mode
- Document permission ownership per share so change requests route to a business owner, not IT alone
Tools
- icacls (view/modify NTFS ACLs and save/restore ACL baselines)
- Get-Acl / Set-Acl (PowerShell ACL management)
- AccessChk (Sysinternals — compute effective permissions for a principal)
- Handle.exe / Get-SmbOpenFile (identify open handles and SMB locks)
- dfsrdiag (inspect DFS-R backlog, conflicts, replication state)
- Process Monitor (trace file access with failure reason)
- whoami /groups (verify user's current token group membership)
- klist (view and purge Kerberos tickets)
- Get-SmbShareAccess / Grant-SmbShareAccess (share-level ACL management)