SMB · Troubleshooting

“Access Is Denied” Mapping a Drive Over SMB

A drive mapping that fails with nothing but “Access is denied” is the network telling you it worked exactly as configured — the fix is finding which of five or six independent gates actually closed the door.

Quick idea: An SMB connection has to clear share permissions, NTFS permissions, an authentication method the server will accept, and (for local admin accounts) a remote UAC token filter — all separately. “Access is denied” only tells you one of those gates refused the request, not which one. Work through them in order rather than guessing.
Share vs NTFS

Two independent permission sets stack on every SMB path. The more restrictive of the two always wins, regardless of what the other one allows.

Guest access blocked

Modern Windows clients no longer fall back to unauthenticated guest sign-in by default — a NAS that used to “just work” now demands real credentials.

Remote UAC filtering

A local administrator account connecting over the network gets a stripped-down token unless the target explicitly disables the filter. Domain admins are unaffected.

Introduction

Someone maps a drive to a file server they have used for months, or tries a share for the first time after being added to the right group, and gets nothing but Access is denied. Their password is correct. Their account isn’t locked. Direct RDP to the server works fine. The share itself is visible in the browse list, sometimes, which somehow makes it worse — the server clearly knows the share exists, it just won’t let this particular connection in.

SMB access denials are frustrating precisely because “access denied” is the output of several unrelated checks that all produce the identical message. Share permissions, NTFS permissions, the authentication method negotiated, SMB signing requirements, and — for local accounts specifically — a UAC restriction on remote connections can each independently refuse the request. The fix is rarely mysterious once you know which gate closed; the time gets lost checking the wrong one first.

What You’re Seeing

The exact wording depends on how the connection was attempted, but it clusters into a small set of variants:

# net use / mapped drive - command line
System error 5 has occurred.
Access is denied.

# File Explorer - "Map network drive" or double-clicking a UNC path
Access is denied.
You do not have permission to access \\fileserver01\finance.

# Modern Windows clients connecting to a NAS or third-party SMB server
You can't access this shared folder because your organization's
security policies block unauthenticated guest access.

# Network capture (Wireshark/Netmon), filtered on SMB2
SMB2 Session Setup Response, Error: STATUS_ACCESS_DENIED (0xC0000022)

A related but distinct error is worth ruling out early because it is easy to mistake for a permissions problem: System error 1219, “Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed.” That is not an access-denied failure at all — it means an existing SMB session to that server is already open under a different credential, and Windows refuses to hold two identities against the same server at once.

Key point: “Access is denied” and “the network path was not found” (System error 53 / System error 67) are different failure classes. The former means the server heard the request and refused it. The latter means the client never reached the server at all — that’s a DNS, routing, or firewall problem, not a permissions one, and none of the fixes in this post apply to it.

What It Actually Means

Every SMB connection to a shared folder has to pass through two separate permission layers before the user’s request even reaches the file system: share permissions (set on the share itself, in the Advanced Sharing dialog or via Grant-SmbShareAccess) and NTFS permissions (set on the underlying folder’s Security tab, or via icacls/Get-Acl). These are evaluated independently, and the connecting user’s effective access is whichever of the two is more restrictive. A share permission of Full Control does nothing to widen an NTFS ACL that only grants Read, and vice versa — a common misconfiguration is assuming that opening up one side is enough.

Beyond the permission tables, the connection also has to satisfy whatever authentication and transport requirements the server enforces. Starting with Windows 11 24H2 and Windows Server 2025, unauthenticated guest sign-in is blocked by default, SMB signing is required in both directions, and SMB client-side NTLM blocking is available — any of which turns a connection that worked for years into an outright refusal the moment a client or server is upgraded, with no configuration change on the share itself. Separately, a local administrator account (a Security Account Manager account on the target machine, not a domain account) that connects remotely gets a filtered access token by default under User Account Control — it authenticates successfully but is denied administrative actions, including in some cases the connection itself, unless the remote UAC restriction has been explicitly disabled on the target.

How to Diagnose

Start from the client, cheapest checks first, before touching anything on the server:

# 1. Confirm exactly what's currently mapped/connected, and the literal error
net use

# 2. Check the negotiated SMB dialect and session state for the target server
Get-SmbConnection -ServerName fileserver01

# 3. Check the client's own security posture - signing, guest fallback, NTLM
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature, EnableInsecureGuestLogons

# 4. On the file server: confirm the share exists and check its ACL
Get-SmbShare -Name finance
Get-SmbShareAccess -Name finance

# 5. On the file server: check the NTFS ACL on the underlying folder
Get-Acl -Path "D:\Shares\Finance" | Format-List

# 6. Confirm which Kerberos tickets the client session actually holds
klist tickets

If none of that shows an obvious mismatch, check Event Viewer on the client under Applications and Services Logs → Microsoft → Windows → SMBClient, specifically the Connectivity and Security channels. Event ID 31017 specifically flags a connection refused because the server offered only guest authentication and the client’s policy blocks it — worth checking before assuming a permissions problem.

Practical note: Run the Get-SmbShareAccess and Get-Acl checks together. A share ACL that looks generous and an NTFS ACL that looks generous can still deny access when combined, because the effective permission is the intersection of the two, not the union.

Common Causes

Cause How to Confirm Fix
Share permission doesn’t grant the user or their group access Get-SmbShareAccess -Name finance shows no entry, or only Read, for the account or group in question. Add the missing entry: Grant-SmbShareAccess -Name finance -AccountName "CORP\Finance-RW" -AccessRight Change -Force.
NTFS permission on the underlying folder is more restrictive than the share permission Get-Acl on the folder doesn’t list the user or group at all, or lists Read only, even though the share ACL grants Change or Full. Grant the matching NTFS right on the folder: icacls "D:\Shares\Finance" /grant "CORP\Finance-RW:(OI)(CI)M".
Unauthenticated guest access is blocked (modern default) The client shows “…security policies block unauthenticated guest access,” or SMBClient Event ID 31017 in Event Viewer. Connect with valid, non-guest credentials instead. Do not re-enable insecure guest logons except as a temporary, risk-accepted workaround on an isolated network.
SMB signing required by the client but unsupported by the server or NAS Client is Windows 11 24H2 or Windows Server 2025 (signing required by default); connection to older or third-party SMB servers fails outright. Enable SMB signing on the server side: Set-SmbServerConfiguration -RequireSecuritySignature $true. If the device genuinely cannot sign, evaluate the risk before relaxing the client requirement instead.
NTLM is blocked or unavailable for the target Connecting by IP address, to a workgroup device, or to a NAS where Kerberos can’t be negotiated, on a client with SMB NTLM blocking configured. Connect using the server’s Kerberos-capable DNS name (e.g. \\fileserver01.corp.example.com\finance) rather than its IP address, and confirm the SPN and name resolution are correct.
Local administrator account connecting remotely is subject to UAC remote token filtering A local (non-domain) admin account on the target authenticates but is refused administrative access; a domain admin account to the same share works fine. Prefer a domain account for remote administration. If a local account genuinely must be used, set LocalAccountTokenFilterPolicy (DWORD, value 1) under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System on the target — understanding this widens the machine’s remote attack surface.
Existing session to the same server under a different credential net use shows an active connection to the same server name, and the actual error text is System error 1219, not a plain access denial. Disconnect the existing session before reconnecting with the new credential: net use \\fileserver01\finance /delete, then map again.

Working Through a Fix

Work the permission layers first, since they account for most cases and are the safest to check without touching client-wide security policy. Pull both ACLs side by side before changing anything:

# On the file server - see both permission layers at once
Get-SmbShareAccess -Name finance | Format-Table AccountName, AccessRight
Get-Acl -Path "D:\Shares\Finance" | Select-Object -ExpandProperty Access |
    Format-Table IdentityReference, FileSystemRights, AccessControlType

Grant the narrower of the two whatever the user actually needs, matching the same right on both layers rather than opening one side wide and leaving the other tight — a Full Control share ACL paired with a Read-only NTFS ACL still leaves the user at Read:

# Grant Change on the share
Grant-SmbShareAccess -Name finance -AccountName "CORP\Finance-RW" -AccessRight Change -Force

# Grant the matching Modify right on the NTFS ACL, applied to this
# folder and inherited by subfolders/files ((OI)(CI))
icacls "D:\Shares\Finance" /grant "CORP\Finance-RW:(OI)(CI)M"
Production note: Granting Everyone Full Control on either layer “to make it work” removes the access control the share exists to provide. If the diagnosis points there, grant the specific group that actually needs access instead — it takes the same two commands and doesn’t leave a standing hole.

If the permission layers check out and the failure is instead the guest-access or signing behaviour introduced by newer Windows defaults, the fix lives on the server or NAS, not the share ACL. Confirm the client’s own posture first so you’re not chasing a client-side setting that was never the cause:

# Client: is guest fallback or signing the reason this connection is refused?
Get-SmbClientConfiguration | Select-Object EnableInsecureGuestLogons, RequireSecuritySignature

# Server: bring SMB signing in line with what the client requires
Set-SmbServerConfiguration -RequireSecuritySignature $true

How to Prevent It

Keep share and NTFS permissions aligned to the same groups rather than layering broad share access on top of narrow NTFS access (or the reverse) — the mismatch is the single most common cause here, and it’s invisible until someone actually hits it. Document which group maps to which access level for each share, since “who can read Finance” tends to be tribal knowledge that outlives whoever set it up.

Treat the newer secure-by-default behaviours — blocked guest access, required signing, NTLM restrictions — as things to test for deliberately after any client or server upgrade, rather than debugging them cold when a user reports a share that “just stopped working.” For the authentication layer underneath all of this, see the Kerberos authentication post; if the failure turns out to be about firewall reachability to the file server rather than permissions, check Windows Firewall rules for File and Printer Sharing next.

Quick Reference

Command Use
Get-SmbShareAccess -Name <share>List the share-level permission ACL.
Grant-SmbShareAccess -Name <share> -AccountName <account> -AccessRight <Read|Change|Full> -ForceAdd or widen a share-level permission entry.
Get-Acl -Path <folder>List the NTFS permission ACL on the underlying folder.
icacls <folder> /grant <account>:(OI)(CI)MGrant an NTFS Modify right, inherited by subfolders and files.
Get-SmbClientConfigurationCheck the client’s guest-access, signing, and NTLM posture.
Set-SmbServerConfiguration -RequireSecuritySignature $trueRequire SMB signing on the server side.
net use \\server\share /deleteDrop an existing session before reconnecting under different credentials (fixes error 1219).
SMBClient Event ID 31017Client refused a connection because the server offered only unauthenticated guest access.

Final Thoughts

“Access is denied” over SMB is rarely one thing. It’s the visible output of several independent checks — share permissions, NTFS permissions, authentication method, signing requirements, and remote UAC filtering for local accounts — any one of which can refuse the connection on its own.

Work from the client outward: confirm what’s actually being negotiated with net use and Get-SmbConnection, then check both permission layers together rather than one at a time, and only then look at the newer secure-by-default behaviours if the account and folder configuration both check out.

For the mechanics behind that combination rule — why the more restrictive of the two permission layers always wins, and how to configure both from the GUI and PowerShell — see SMB File Shares — Share vs NTFS Permissions.

Key takeaway: Run Get-SmbShareAccess and Get-Acl together before changing anything — the effective permission is whichever of the two is more restrictive, and widening only one side is the most common reason a fix “doesn’t take.”
More troubleshooting

Next: when the connection never reaches the server at all — reading what each blocked port or unreachable path in Windows Firewall actually means for file and printer sharing.