IBM Support

Access denied error from Windows Explorer only

Technote (troubleshooting)


Problem(Abstract)

This technote explains why attempts to open a directory inside an IBM® Rational® ClearCase® VOB using the Microsoft® Windows® Explorer results in the error, Access is denied, while opening a command shell or ClearCase Explorer (to access the same directory) work without a problem.

Symptom

Additionally, when trying to open this directory with Windows Explorer again, access is granted. This happens in different views by the same user.

The user has the primary group set and is a member of multiple groups which own specific elements.

Cause

This is due to the fact that the Windows Explorer process is created prior to the CLEARCASE_PRIMARY_GROUP variable being read.

This means that the ACLs on the explorer process do not contain the updated information for the CLEARCASE_PRIMARY_GROUP variable.

See technote 1135509 for more information about the CLEARCASE_PRIMARY_GROUP variable.


Resolving the problem

 DISCLAIMER:

This solution contains information about modifying the system registry. Before making any modifications to the Microsoft® Registry Editor, it is strongly recommended that you make a backup of the existing registry. For more information describing how to back up the registry, refer to the Microsoft Knowledge Base article 256986 at http://support.microsoft.com/kb/256986.

  1. Use the ntlogon_util -r command

  2. Modify or Create the Windows registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Atria\ClearCase\
    CurrentVersion\SetPrimaryGroupAtLogon
     

A restart of the affected workstation is required after making these changes.



NTLOGON_UTIL COMMAND INSTRUCTIONS:
************************************************************
%RATIONALHOME%\etc\utils\ntlogon_util.exe has a new option, -r, that forces the primary group of all processes belonging to the same logon session as the executing user to the value of the CLEARCASE_PRIMARY_GROUP environment variable.



ALTERNATIVE: REGISTRY CHANGE INSTRUCTIONS:
**********************************************************************
As an alternative to running ntlogon_util -r, a user can control the behavior of the ClearCase network provider logon script (nplogon.exe) with respect to CLEARCASE_PRIMARY_GROUP by setting the value of the Windows registry key:

1. Create a new DWORD value in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Atria\ClearCase\CurrentVersion

a. Edit > New > DWORD value

b. Name --> SetPrimaryGroupAtLogon

2. Edit the value and provide one of the below hexidecimal values:

Value= 0

RESULT= No action (default)

Value= 1

RESULT= Set the primary group of nplogon.exe and its ancestors in the same logon session to the value of CLEARCASE_PRIMARY_GROUP. Use this value on hosts running Windows 2000 or Windows XP.


Value= 2

RESULT= Set the primary group of all processes in the same logon session as nplogon.exe to the value of CLEARCASE_PRIMARY_GROUP. Use this value on hosts running Windows NT.

===================================================================
The creds utility has an option, creds -s PID, which sets the primary group in the access token of the process with process ID to the value of CLEARCASE_PRIMARY_GROUP.

If your problem is with the CLEARCASE_GROUPS variable, refer to technote 1196032.

Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational ClearCase GUI: Windows Explorer (Integration)
Software Development Rational ClearCase GUI: Windows Explorer (Integration)

Document information

More support for: Rational ClearCase
Environment Variables

Software version: 7.0

Operating system(s): Windows

Reference #: 1149989

Modified date: 09 August 2007