Solved

AD Effects - WinServer 2003 Std SP1

Posted on 2007-03-17
9
165 Views
Last Modified: 2010-04-18
I am working with a new network for which there is no documentation.

The other day, I disabled  several accounts for users that are no longer needed but was surprised to find that the new user replacing that position could no longer access any of the files in THEIR file share as they were locked out of the network for access to their files. Reenabling the "old" user restored network connectivity.

Looked only a little into this but security settings seemed all OK.  Did easily find that some of the files were owned by the previous user but even the root share could not be accessed and permissions, ownership seemed fine at that level.

Two questions then...
1) How can disabling a user that is no longer needed affect another who seems to be setup properly for groups, rights, permissions?
2) How can I KNOW which accounts I can cleanup, disable and/or reset passwords on without causing users access difficulties?

Thanks!



0
Comment
Question by:DanielT
  • 6
  • 3
9 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 18739913
Disabling a user does not affect others, impossible. Please clarify what you are doing. (I mean, there is  nothing to clarify, but maybe you forgot something)
Please use the effective permissions tab on the server (properties of that share) and check if your server claims that the user should have access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18740283
Thanks.
I also thought it was impossible but it was the only change - and renabling the account immediately restored the users' connectivity to all folders. Permissions were the first thing I looked at since this is what I suspected but (I thought) it was OK. Was in a hurry though so I will check again.

The only thing I found related to the old user at the time was the file ownership so I included that detail.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18743247
File security and permission settings are fine on the server for the user's directory as are the permissions for the user's account. The effective permissions tab shows no special settings for either account.

Another noteworthy point? The user works while logged in locally to their machine while using network resources. Not sure if local account settings would have anything to do with this if the account were renamed locally due to security descriptor being the same as the last user. Is this possible?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 18744061
"The effective permissions tab shows no special settings for either account" - that's not the point. In the state when he cannot access files, what do eff. permissions on that server tell you for that user? Should he be able to access (read/write) that file/folder?

About security descriptors: If you delete a user and create another with the same name (no matter if domain user or local user), the SID changes and he cannot access the files the former user could access.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Author Comment

by:DanielT
ID: 18746160
Hi McKnife,

I have increased points for the effort.
Thanks for note about security descriptors. I was aware of that.

Perhaps I'm just not explaining myself properly. I have checked specifically for the permissions of the "new" folders (properties of that share) on the server to which all the files were copied from the "old" user's folders. They are set correctly.

What was puzzling is that "newuser" had access to their "newuser" server files when "olduser" account was active but NOT when "olduser" account was disabled. The only thing common about these folders is that the files were copied from "olduser" to "newuser".  I have not retried disabling the "olduser" account since both the user and I am only in at certain times and they may not overlap.

Any ideas - other than impossible? <grin>



0
 
LVL 53

Accepted Solution

by:
McKnife earned 350 total points
ID: 18750344
Sorry, none. Or? Make sure the SIDs of old and new are different, maybe use a tool like user2sid for that.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18753839
Thanks.
I will have to look closer and try the account lockout again when user is available.
Will leave this Question open in meantime in case I find out the cause - or there is other input.  
It's probably something simple.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18847805
Not alot of news unfortunately.
Although I have not been able to try a 2nd lockout of the "unused" account I have been able to check further including the account(s) on the local machine. Everything looks like it should be in order. Have not looked at SID's either. Am still thinking an account was renamed, rather than copied or recreated but cannot verify this with anyone.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18915447
Still have not used a utility to check SIDs but expect the issue is caused as per McKnife's suggestion on 03/19. Am awarding the points accordingly.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now