A Windows Server 2022 file server hosts several departmental shares on volume D:. Shortly after a junior administrator "tightened security," members of the Marketing AD group receive an immediate "Access is denied" error when they try to open \FS1\Marketing from Windows 11 workstations. The same users can still open \FS1\Public and other shares on the server, and they can successfully RDP to FS1. Troubleshooting shows:
ICMP replies from FS1 and netstat confirm TCP 445 is listening.
The inbound File and Printer Sharing (SMB-In) firewall rules are enabled.
NTFS permissions on D:\Shares\Marketing still grant the Marketing group Modify.
DNS resolution for FS1 is correct and unchanged.
Which of the following is the MOST likely reason the Marketing share is no longer accessible to its users?
Clients are unable to negotiate SMB v1 after the protocol was disabled on FS1.
A Group Policy or manual change added an explicit Deny share permission for the Marketing group on \FS1\Marketing.
The NTFS ACL on D:\Shares\Marketing removed the Synchronize right for the Marketing group.
A network firewall between clients and FS1 is silently dropping traffic on TCP 445.
Because other shares on the same server are still reachable, network reachability, DNS, and the server-side firewall are not the cause. NTFS continues to grant the Marketing group Modify, so an NTFS ACL problem is unlikely. The only change that would block just one share while leaving the others functional is a share-level explicit Deny entry; in Windows access-control evaluation, an explicit Deny ACE (at either the share or NTFS layer) overrides any Allow entries and immediately returns "Access is denied." Removing that Deny or restoring the previous share ACL would restore access. Missing Synchronize or SMB-version issues would affect all shares or manifest during file open, not at initial share connection, and a firewall blocking port 445 would prevent access to every share on the server, not just one.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between share permissions and NTFS permissions?
Open an interactive chat with Bash
What is an explicit Deny permission in Windows?
Open an interactive chat with Bash
How does SMB protocol and TCP 445 impact file sharing?
Open an interactive chat with Bash
What is the difference between NTFS permissions and share permissions?
Open an interactive chat with Bash
How does an explicit 'Deny' permission work in Windows access control?
Open an interactive chat with Bash
What is the role of SMB in file sharing, and why is TCP 445 important?
Open an interactive chat with Bash
What is the difference between NTFS permissions and share permissions in Windows Server?
Open an interactive chat with Bash
What does an explicit 'Deny' permission do in access control evaluation?
Open an interactive chat with Bash
Why does SMB traffic use TCP port 445, and how does it differ from earlier versions using port 139?