Solved

AD Effects - WinServer 2003 Std SP1

Posted on 2007-03-17
9
168 Views
Last Modified: 2010-04-18
I am working with a new network for which there is no documentation.

The other day, I disabled  several accounts for users that are no longer needed but was surprised to find that the new user replacing that position could no longer access any of the files in THEIR file share as they were locked out of the network for access to their files. Reenabling the "old" user restored network connectivity.

Looked only a little into this but security settings seemed all OK.  Did easily find that some of the files were owned by the previous user but even the root share could not be accessed and permissions, ownership seemed fine at that level.

Two questions then...
1) How can disabling a user that is no longer needed affect another who seems to be setup properly for groups, rights, permissions?
2) How can I KNOW which accounts I can cleanup, disable and/or reset passwords on without causing users access difficulties?

Thanks!



0
Comment
Question by:DanielT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 18739913
Disabling a user does not affect others, impossible. Please clarify what you are doing. (I mean, there is  nothing to clarify, but maybe you forgot something)
Please use the effective permissions tab on the server (properties of that share) and check if your server claims that the user should have access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18740283
Thanks.
I also thought it was impossible but it was the only change - and renabling the account immediately restored the users' connectivity to all folders. Permissions were the first thing I looked at since this is what I suspected but (I thought) it was OK. Was in a hurry though so I will check again.

The only thing I found related to the old user at the time was the file ownership so I included that detail.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18743247
File security and permission settings are fine on the server for the user's directory as are the permissions for the user's account. The effective permissions tab shows no special settings for either account.

Another noteworthy point? The user works while logged in locally to their machine while using network resources. Not sure if local account settings would have anything to do with this if the account were renamed locally due to security descriptor being the same as the last user. Is this possible?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 54

Expert Comment

by:McKnife
ID: 18744061
"The effective permissions tab shows no special settings for either account" - that's not the point. In the state when he cannot access files, what do eff. permissions on that server tell you for that user? Should he be able to access (read/write) that file/folder?

About security descriptors: If you delete a user and create another with the same name (no matter if domain user or local user), the SID changes and he cannot access the files the former user could access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18746160
Hi McKnife,

I have increased points for the effort.
Thanks for note about security descriptors. I was aware of that.

Perhaps I'm just not explaining myself properly. I have checked specifically for the permissions of the "new" folders (properties of that share) on the server to which all the files were copied from the "old" user's folders. They are set correctly.

What was puzzling is that "newuser" had access to their "newuser" server files when "olduser" account was active but NOT when "olduser" account was disabled. The only thing common about these folders is that the files were copied from "olduser" to "newuser".  I have not retried disabling the "olduser" account since both the user and I am only in at certain times and they may not overlap.

Any ideas - other than impossible? <grin>



0
 
LVL 54

Accepted Solution

by:
McKnife earned 350 total points
ID: 18750344
Sorry, none. Or? Make sure the SIDs of old and new are different, maybe use a tool like user2sid for that.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18753839
Thanks.
I will have to look closer and try the account lockout again when user is available.
Will leave this Question open in meantime in case I find out the cause - or there is other input.  
It's probably something simple.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18847805
Not alot of news unfortunately.
Although I have not been able to try a 2nd lockout of the "unused" account I have been able to check further including the account(s) on the local machine. Everything looks like it should be in order. Have not looked at SID's either. Am still thinking an account was renamed, rather than copied or recreated but cannot verify this with anyone.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18915447
Still have not used a utility to check SIDs but expect the issue is caused as per McKnife's suggestion on 03/19. Am awarding the points accordingly.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question