Solved

AD Effects - WinServer 2003 Std SP1

Posted on 2007-03-17
9
167 Views
Last Modified: 2010-04-18
I am working with a new network for which there is no documentation.

The other day, I disabled  several accounts for users that are no longer needed but was surprised to find that the new user replacing that position could no longer access any of the files in THEIR file share as they were locked out of the network for access to their files. Reenabling the "old" user restored network connectivity.

Looked only a little into this but security settings seemed all OK.  Did easily find that some of the files were owned by the previous user but even the root share could not be accessed and permissions, ownership seemed fine at that level.

Two questions then...
1) How can disabling a user that is no longer needed affect another who seems to be setup properly for groups, rights, permissions?
2) How can I KNOW which accounts I can cleanup, disable and/or reset passwords on without causing users access difficulties?

Thanks!



0
Comment
Question by:DanielT
  • 6
  • 3
9 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 18739913
Disabling a user does not affect others, impossible. Please clarify what you are doing. (I mean, there is  nothing to clarify, but maybe you forgot something)
Please use the effective permissions tab on the server (properties of that share) and check if your server claims that the user should have access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18740283
Thanks.
I also thought it was impossible but it was the only change - and renabling the account immediately restored the users' connectivity to all folders. Permissions were the first thing I looked at since this is what I suspected but (I thought) it was OK. Was in a hurry though so I will check again.

The only thing I found related to the old user at the time was the file ownership so I included that detail.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18743247
File security and permission settings are fine on the server for the user's directory as are the permissions for the user's account. The effective permissions tab shows no special settings for either account.

Another noteworthy point? The user works while logged in locally to their machine while using network resources. Not sure if local account settings would have anything to do with this if the account were renamed locally due to security descriptor being the same as the last user. Is this possible?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 54

Expert Comment

by:McKnife
ID: 18744061
"The effective permissions tab shows no special settings for either account" - that's not the point. In the state when he cannot access files, what do eff. permissions on that server tell you for that user? Should he be able to access (read/write) that file/folder?

About security descriptors: If you delete a user and create another with the same name (no matter if domain user or local user), the SID changes and he cannot access the files the former user could access.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18746160
Hi McKnife,

I have increased points for the effort.
Thanks for note about security descriptors. I was aware of that.

Perhaps I'm just not explaining myself properly. I have checked specifically for the permissions of the "new" folders (properties of that share) on the server to which all the files were copied from the "old" user's folders. They are set correctly.

What was puzzling is that "newuser" had access to their "newuser" server files when "olduser" account was active but NOT when "olduser" account was disabled. The only thing common about these folders is that the files were copied from "olduser" to "newuser".  I have not retried disabling the "olduser" account since both the user and I am only in at certain times and they may not overlap.

Any ideas - other than impossible? <grin>



0
 
LVL 54

Accepted Solution

by:
McKnife earned 350 total points
ID: 18750344
Sorry, none. Or? Make sure the SIDs of old and new are different, maybe use a tool like user2sid for that.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18753839
Thanks.
I will have to look closer and try the account lockout again when user is available.
Will leave this Question open in meantime in case I find out the cause - or there is other input.  
It's probably something simple.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18847805
Not alot of news unfortunately.
Although I have not been able to try a 2nd lockout of the "unused" account I have been able to check further including the account(s) on the local machine. Everything looks like it should be in order. Have not looked at SID's either. Am still thinking an account was renamed, rather than copied or recreated but cannot verify this with anyone.
0
 
LVL 2

Author Comment

by:DanielT
ID: 18915447
Still have not used a utility to check SIDs but expect the issue is caused as per McKnife's suggestion on 03/19. Am awarding the points accordingly.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows-Based File Server (SMB) and Point in Time Backups (Shadow Copy?) 10 76
clearing an obsolete 2003 server from our domain 8 74
Backup DHCP Server 8 115
ticket bloat 3 50
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question