T The Triage ManualTechnical Guides for IT Emergencies
P3 · Windows Server

SMB File Access Failures — NTFS/Share ACL, Kerberos Token, Offline Files Cache, and DFS-R Missing Data Triage

Users on domain-joined Windows clients report 'Access is denied', missing files, or save failures on SMB shares. Root causes span NTFS/share ACL misconfiguration, broken inheritance, stale Kerberos tokens after AD group changes, Kerberos token bloat exceeding MaxTokenSize, Offline Files (CSC) cache corruption, DFS-R ConflictAndDeleted/PreExisting placement, oplock/SMB lease contention, or EFS decryption failure. Resolution requires validating effective permissions with icacls/AccessChk, refreshing tokens, clearing CSC, and inspecting DFS-R health before restoring ACLs from a documented baseline.

Indicators

Likely causes

Diagnostic steps

  1. Reproduce the failure as the affected user; capture the exact UNC path, error text, and operation (read/write/delete/list). Have them run 'whoami /groups > %temp%\groups.txt' from their session.
    Distinguish permission denial from missing-data, locking, or namespace resolution; confirm the token the user is actually presenting.
  2. On the file server, inspect NTFS and share ACLs: 'icacls "D:\Shares\Path"' and 'Get-SmbShareAccess -Name <ShareName>'. Compare against a known-good sibling folder.
    Identify removed ACEs, broken inheritance, or explicit Deny entries overriding Allow.
  3. Run 'accesschk.exe -accepteula -q -s DOMAIN\User "D:\Shares\Path"' or use Advanced Security Settings > Effective Access GUI.
    Compute the true effective permission set for the user, factoring share, NTFS, and group nesting.
  4. Have the user sign out and back on (or run 'klist purge' then re-authenticate to the share). Recheck access.
    Rule out stale Kerberos tickets following recent AD group changes.
  5. Check for token bloat: count groups with 'whoami /groups | find /c /v ""' and inspect Event ID 4625 / Netlogon for token-size warnings. Compare to server's MaxTokenSize.
    Detect Kerberos token exceeding buffer size — manifests as silent auth degradation.
  6. Verify the file/folder actually exists on the underlying NTFS volume (local path, not via share). Inspect DFS-R state: 'dfsrdiag ReplicationState /member:<server>' and check the ConflictAndDeleted and PreExisting folders under 'D:\<Volume>\System Volume Information\DFSR\'.
    Detect 'missing data' caused by DFS-R conflicts rather than permissions.
  7. On the client, clear Offline Files cache: run 'reg add HKLM\SYSTEM\CurrentControlSet\Services\CSC\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f' then reboot.
    Rule out a corrupt CSC cache masking the true server state.
  8. On the file server, list open handles: 'Get-SmbOpenFile | Where-Object Path -like "*<filename>*"' or 'handle.exe -a <file>'.
    Identify in-use / oplock conditions blocking writes despite valid permissions.
  9. Enable file-share auditing on the target path and re-test; review Security log Event IDs 4656, 4663, 4670.
    Capture the exact access mask requested vs granted, and any recent ACL modification.

Resolution path

Prevention

Tools

References

file-serversmbntfspermissionsacldfs-roffline-fileskerberostoken-bloatwindows-serveraccess-denied