Windows 2003 Server, deleted user account and SID.

We are running 3 DCs 2003 Server SP2. I created a new user in AD, added them to all the appropriate groups, etc.. We tested login stuff, deleted the account, and later recreated it with the same exact name/spelling.

Now when that user logs in, they get no Login Script, gpresult shows them having no GPOs applied and says this user is not a member of any groups (but AD shows them a member of 6 groups). I tried blowing away the local profile on the workstation, the AD user account, and then also tried migrating the user using Quest software, but it's still the same problem. I've tried gpupdate /force numerous times as well.

I can create any other user name in the same OU and login with everything (scripts, gpos) working, so the problem is only tied to this user name/SID. Is there a way to see the SIDs to delete whatever may be causing this problem? Are there any other solutions? I don't want to change this users login name, it needs to stay the same if at all possible.

Note - when doing a gpresult, under User Settings, it says Group Policy was applied from : N/A, where as Computer Settings show policy was applied from DC2.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If I'm understanding you correctly, you configured a user account with certain group memberships and other configuration items. You then deleted that user account and created a new one with the same name, and are asking why this account did not receive the old user's group memberships and other configurations?

If I am understanding you correctly, what you are seeing is happening by design.  Each Active Directory security principal (user, computer, group object) has a SID attached to it that is unique to that object.  If you delete an object, any new object that you create will have a different SID even if you give the new object the same "friendly name" as the one you deleted.  As far as AD is concerned, this new object is a completely different object from the one that was deleted, and will not retain any group memberships or other configuration information that was configured on the deleted account.

To restore a deleted security principal like a user object so that it retains all of its old group memberships and other configuration details, you need to perform an authoritative restore of that object, as described here:

If you only need to restore a single object, Quest also provides a freeware tool to make the process a bit friendlier:

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
lbbcsgAuthor Commented:
I created and used an account (xxxzzz) for login testing. I then deleted the account, only to later recreate it. Once recreated, I put them in the exact same OU/groups as the other users. However, they don't get the policy or group memberships applied when they log in. GPresults shows no group memberships or GPOs applied, even though I can go to the DC and see (xxxzzz) is a member of 6 groups. I can create the same name changing 1 letter (xxxzzz1), put it in the same OU and everything works. It's just this one particular name that I deleted will not work no matter what we do with it.
Is this problem specific to a single workstation?  IE, if you log this user onto another workstation do you see different behaviour?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

lbbcsgAuthor Commented:
No it follows the user no matter which workstation they go to. If I create an similar ID with identical groups in the same OU everythings works when the login. It's just this particular user ID which I at one time deleted won't cooperate. The fact that Gpresult shows no group membership and policy applied is N/A makes me curious as to what exactly happened when it was deleted. I can't help but feel there's something sitting on the server that wasn't removed that's causing the problem when I re-use the user name.
Do you have more than one DC in your environment?  (Please let that answer be "yes.")  

I wonder if the deletion didn't replicate properly and you now have a conflict object in your directory.

Download the adfind utility ( and search your domain using the following syntax:

adfind -default -f "(CN=*\0ACNF:*)" -dn

See if you have two objects with that user's name in the "CN=" part, where one has that weird "\0ACNF:" string after it.

Also wouldn't hurt to run a netdiag, dcdiag, and repadmin /replsum on your DCs to make sure that replication is working properly.
lbbcsgAuthor Commented:
Problem resolved, it was due to certain users being inside a Netware policy involving ZenWorks.
PAQed with points refunded (500)

EE Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.