Solved

AD Effects - WinServer 2003 Std SP1

Posted on 2007-03-17
9
166 Views
Last Modified: 2010-04-18
I am working with a new network for which there is no documentation.

The other day, I disabled  several accounts for users that are no longer needed but was surprised to find that the new user replacing that position could no longer access any of the files in THEIR file share as they were locked out of the network for access to their files. Reenabling the "old" user restored network connectivity.

Looked only a little into this but security settings seemed all OK.  Did easily find that some of the files were owned by the previous user but even the root share could not be accessed and permissions, ownership seemed fine at that level.

Two questions then...
1) How can disabling a user that is no longer needed affect another who seems to be setup properly for groups, rights, permissions?
2) How can I KNOW which accounts I can cleanup, disable and/or reset passwords on without causing users access difficulties?

Thanks!



0
Comment
Question by:DanielT
  • 6
  • 3
9 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 18739913
Disabling a user does not affect others, impossible. Please clarify what you are doing. (I mean, there is  nothing to clarify, but maybe you forgot something)
Please use the effective permissions tab on the server (properties of that share) and check if your server claims that the user should have access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18740283
Thanks.
I also thought it was impossible but it was the only change - and renabling the account immediately restored the users' connectivity to all folders. Permissions were the first thing I looked at since this is what I suspected but (I thought) it was OK. Was in a hurry though so I will check again.

The only thing I found related to the old user at the time was the file ownership so I included that detail.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18743247
File security and permission settings are fine on the server for the user's directory as are the permissions for the user's account. The effective permissions tab shows no special settings for either account.

Another noteworthy point? The user works while logged in locally to their machine while using network resources. Not sure if local account settings would have anything to do with this if the account were renamed locally due to security descriptor being the same as the last user. Is this possible?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 54

Expert Comment

by:McKnife
ID: 18744061
"The effective permissions tab shows no special settings for either account" - that's not the point. In the state when he cannot access files, what do eff. permissions on that server tell you for that user? Should he be able to access (read/write) that file/folder?

About security descriptors: If you delete a user and create another with the same name (no matter if domain user or local user), the SID changes and he cannot access the files the former user could access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18746160
Hi McKnife,

I have increased points for the effort.
Thanks for note about security descriptors. I was aware of that.

Perhaps I'm just not explaining myself properly. I have checked specifically for the permissions of the "new" folders (properties of that share) on the server to which all the files were copied from the "old" user's folders. They are set correctly.

What was puzzling is that "newuser" had access to their "newuser" server files when "olduser" account was active but NOT when "olduser" account was disabled. The only thing common about these folders is that the files were copied from "olduser" to "newuser".  I have not retried disabling the "olduser" account since both the user and I am only in at certain times and they may not overlap.

Any ideas - other than impossible? <grin>



0
 
LVL 54

Accepted Solution

by:
McKnife earned 350 total points
ID: 18750344
Sorry, none. Or? Make sure the SIDs of old and new are different, maybe use a tool like user2sid for that.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18753839
Thanks.
I will have to look closer and try the account lockout again when user is available.
Will leave this Question open in meantime in case I find out the cause - or there is other input.  
It's probably something simple.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18847805
Not alot of news unfortunately.
Although I have not been able to try a 2nd lockout of the "unused" account I have been able to check further including the account(s) on the local machine. Everything looks like it should be in order. Have not looked at SID's either. Am still thinking an account was renamed, rather than copied or recreated but cannot verify this with anyone.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18915447
Still have not used a utility to check SIDs but expect the issue is caused as per McKnife's suggestion on 03/19. Am awarding the points accordingly.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question