Access Denied when you access an SMB file share in Windows
This article helps fix the Access Denied error that occurs when you access a Server Message Block (SMB) file share.
Applies to: Windows Server 2012 R2, Windows 7 Service Pack 1
Original KB number: 3035936
Symptoms
When you try to access a specific folder that's located on a Network Appliance (NetApp) Filer or a Windows Server that supports SMB2 from a Windows-based system through the SMB Version 2 protocol, the access is denied. This issue occurs in the following version of Windows:
- Windows 8.1
- Windows Server 2012 R2
- Windows 8
- Windows Server 2012
- Windows 7
- Windows Server 2008 R2
- Windows Vista
- Windows Server 2008
Note
This issue doesn't occur if you disable the SMB2 protocol on the client or use a Windows SMB client, such as Windows XP or Windows Server 2003.
Cause
This issue occurs because the target folder on the SMB share is missing the SYNCHRONIZE access control entries.
Resolution
To resolve this issue, use the ICACLS utility to set the desired permissions that contain the Synchronize bit.
For example, at a command prompt, type the following command, and then press ENTER:
ICACLS h:\folder /grant domain\user:(RC,RD,REA,RA,X,S)
A comma-separated list in parentheses of specific rights:
- RC - read control
- RD - read data/list directory
- REA - read extended attributes
- RA - read attributes
- X - execute/traverse
- S - Synchronize
Troubleshooting
You can use the following methods to verify and troubleshoot the issue.
Verify that the NetApp Filer has the Synchronize bit set on the folder.
A network trace can show the DesiredAccess error for the SMB2 CREATE process on the folder for the Request and Response packet.
The AccessChk.exe tool is available on Windows Sysinternals site for reading out the permission settings.
For example, run the following command:
C:\tools\Sysinternals\accesschk.exe -ldThen, you can see the following result that shows the SYNCHRONIZE bit is set:
[2] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users [OBJECT_INHERIT_ACE] [CONTAINER_INHERIT_ACE] [INHERITED_ACE] FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROLSee the behavior of the SYNCHRONIZE bit on Windows SMB2 clients.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for