remember... when you change group membership, the user needs to logoff and back on to the ONTAP share. This way, ONTAP can give them their group membership changes.
you can use sectrace (vserver security trace) to tell you why its access denied
also... from diag mode for the username of someone in one of those groups:
diag secd authentication show-creds -node <node> -vserver <svm> -win-name <username>
you DEFINITELY want to see the map to root(if you have local admins mapped to root)
UNIX UID: root <> Windows User: DOMAIN\user (Windows Domain User)
GID: daemon
Supplementary GIDs:
daemon
Primary Group SID: DOMAIN\Domain Users (Windows Domain group)
Windows Membership:
DOMAIN\Domain Users (Windows Domain group)
DOMAIN\ClusterAdmins (Windows Domain group)
DOMAIN\Domain Admins (Windows Domain group)
DOMAIN\ESX Admins (Windows Domain group)
DOMAIN\Denied RODC Password Replication Group (Windows Alias)
NT AUTHORITY\Claims Valid (Windows Well known group)
Service asserted identity (Windows Well known group)
BUILTIN\Users (Windows Alias)
BUILTIN\Administrators (Windows Alias) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
User is also a member of Everyone, Authenticated Users, and Network Users
Privileges (0x22b7):
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSecurityPrivilege
SeChangeNotifyPrivilege