Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD Effects - WinServer 2003 Std SP1

Posted on 2007-03-17
9
Medium Priority
?
172 Views
Last Modified: 2010-04-18
I am working with a new network for which there is no documentation.

The other day, I disabled  several accounts for users that are no longer needed but was surprised to find that the new user replacing that position could no longer access any of the files in THEIR file share as they were locked out of the network for access to their files. Reenabling the "old" user restored network connectivity.

Looked only a little into this but security settings seemed all OK.  Did easily find that some of the files were owned by the previous user but even the root share could not be accessed and permissions, ownership seemed fine at that level.

Two questions then...
1) How can disabling a user that is no longer needed affect another who seems to be setup properly for groups, rights, permissions?
2) How can I KNOW which accounts I can cleanup, disable and/or reset passwords on without causing users access difficulties?

Thanks!



0
Comment
Question by:DanielT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 18739913
Disabling a user does not affect others, impossible. Please clarify what you are doing. (I mean, there is  nothing to clarify, but maybe you forgot something)
Please use the effective permissions tab on the server (properties of that share) and check if your server claims that the user should have access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18740283
Thanks.
I also thought it was impossible but it was the only change - and renabling the account immediately restored the users' connectivity to all folders. Permissions were the first thing I looked at since this is what I suspected but (I thought) it was OK. Was in a hurry though so I will check again.

The only thing I found related to the old user at the time was the file ownership so I included that detail.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18743247
File security and permission settings are fine on the server for the user's directory as are the permissions for the user's account. The effective permissions tab shows no special settings for either account.

Another noteworthy point? The user works while logged in locally to their machine while using network resources. Not sure if local account settings would have anything to do with this if the account were renamed locally due to security descriptor being the same as the last user. Is this possible?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 56

Expert Comment

by:McKnife
ID: 18744061
"The effective permissions tab shows no special settings for either account" - that's not the point. In the state when he cannot access files, what do eff. permissions on that server tell you for that user? Should he be able to access (read/write) that file/folder?

About security descriptors: If you delete a user and create another with the same name (no matter if domain user or local user), the SID changes and he cannot access the files the former user could access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18746160
Hi McKnife,

I have increased points for the effort.
Thanks for note about security descriptors. I was aware of that.

Perhaps I'm just not explaining myself properly. I have checked specifically for the permissions of the "new" folders (properties of that share) on the server to which all the files were copied from the "old" user's folders. They are set correctly.

What was puzzling is that "newuser" had access to their "newuser" server files when "olduser" account was active but NOT when "olduser" account was disabled. The only thing common about these folders is that the files were copied from "olduser" to "newuser".  I have not retried disabling the "olduser" account since both the user and I am only in at certain times and they may not overlap.

Any ideas - other than impossible? <grin>



0
 
LVL 56

Accepted Solution

by:
McKnife earned 1050 total points
ID: 18750344
Sorry, none. Or? Make sure the SIDs of old and new are different, maybe use a tool like user2sid for that.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18753839
Thanks.
I will have to look closer and try the account lockout again when user is available.
Will leave this Question open in meantime in case I find out the cause - or there is other input.  
It's probably something simple.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18847805
Not alot of news unfortunately.
Although I have not been able to try a 2nd lockout of the "unused" account I have been able to check further including the account(s) on the local machine. Everything looks like it should be in order. Have not looked at SID's either. Am still thinking an account was renamed, rather than copied or recreated but cannot verify this with anyone.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18915447
Still have not used a utility to check SIDs but expect the issue is caused as per McKnife's suggestion on 03/19. Am awarding the points accordingly.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question