- You create a shared folder in Windows Server 2008 R2 and then grant User A Read permission for the folder.
- You create a subfolder on the shared folder, disable inheritable permissions from the subfolder's parent folder, and do not grant User A Read permission for the subfolder.
- You log on to a Windows Server 2012-based server as User A and then run an application that calls FindFirstFile for the shared folder.
If the application that you are running assumes that ERROR_ACCESS_DENIED is returned in this situation to signal that it does not have the appropriate access right, it is possible that this assumption is incorrect.
These NT statuses that the SMB component returns are translated to one of the following Win32 errors when the NT statuses are handed to the file or folder APIs:
Be aware that even if the design of Windows was changed so that ERROR_ACCESS_DENIED could be returned, the application that accesses a network share could still receive ERROR_UNEXP_NET_ERR because an actual network error might occur, such as a server crash, a loss of network power, and so on.
Also be aware that there is a difference between I/O to local drives and I/O to network file shares. Although the APIs (CreateFile, ReadFile, FindFirstFile, and so on) that the application uses are all the same, the storage system that does the work is very different. When an application accesses a local file, the API creates an IRP and sends this to the file system driver (NTFS.SYS), and the I/O request eventually is sent to the disk drivers. When an application accesses a network share, the API invokes a client/server network protocol. The API sends the request to the client redirector, and then the client redirector makes an SMB packet and sends the SMB packet to the server. The server’s service receives the packet and then performs the I/O operation. After the I/O operation is complete, the server’s service sends a response SMB packet back to the client redirector, and the client redirector returns to the application.
Because of these differences, the API can return different kinds of errors. For local files, the API will not return networking errors. For networked files, the API can return file access errors like ERROR_ACCESS_DENIED and network errors like ERROR_UNEXP_NET_ERR because either kind of error can occur on a network. This behavior is by design and is documented in the Microsoft Developer Network (MSDN) Library in the following two locations:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 2990989 - Last Review: 22 Aug 2014 - Revision: 1