• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 814
  • Last Modified:

Windows 2003 Server, deleted user account and SID.

We are running 3 DCs 2003 Server SP2. I created a new user in AD, added them to all the appropriate groups, etc.. We tested login stuff, deleted the account, and later recreated it with the same exact name/spelling.

Now when that user logs in, they get no Login Script, gpresult shows them having no GPOs applied and says this user is not a member of any groups (but AD shows them a member of 6 groups). I tried blowing away the local profile on the workstation, the AD user account, and then also tried migrating the user using Quest software, but it's still the same problem. I've tried gpupdate /force numerous times as well.

I can create any other user name in the same OU and login with everything (scripts, gpos) working, so the problem is only tied to this user name/SID. Is there a way to see the SIDs to delete whatever may be causing this problem? Are there any other solutions? I don't want to change this users login name, it needs to stay the same if at all possible.

Note - when doing a gpresult, under User Settings, it says Group Policy was applied from : N/A, where as Computer Settings show policy was applied from DC2.
0
lbbcsg
Asked:
lbbcsg
  • 3
  • 3
1 Solution
 
LauraEHunterMVPCommented:
If I'm understanding you correctly, you configured a user account with certain group memberships and other configuration items. You then deleted that user account and created a new one with the same name, and are asking why this account did not receive the old user's group memberships and other configurations?

If I am understanding you correctly, what you are seeing is happening by design.  Each Active Directory security principal (user, computer, group object) has a SID attached to it that is unique to that object.  If you delete an object, any new object that you create will have a different SID even if you give the new object the same "friendly name" as the one you deleted.  As far as AD is concerned, this new object is a completely different object from the one that was deleted, and will not retain any group memberships or other configuration information that was configured on the deleted account.

To restore a deleted security principal like a user object so that it retains all of its old group memberships and other configuration details, you need to perform an authoritative restore of that object, as described here:

http://support.microsoft.com/kb/241594

If you only need to restore a single object, Quest also provides a freeware tool to make the process a bit friendlier: http://www.quest.com/object_restore_for_active_directory/

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
lbbcsgAuthor Commented:
I created and used an account (xxxzzz) for login testing. I then deleted the account, only to later recreate it. Once recreated, I put them in the exact same OU/groups as the other users. However, they don't get the policy or group memberships applied when they log in. GPresults shows no group memberships or GPOs applied, even though I can go to the DC and see (xxxzzz) is a member of 6 groups. I can create the same name changing 1 letter (xxxzzz1), put it in the same OU and everything works. It's just this one particular name that I deleted will not work no matter what we do with it.
0
 
LauraEHunterMVPCommented:
Is this problem specific to a single workstation?  IE, if you log this user onto another workstation do you see different behaviour?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
lbbcsgAuthor Commented:
No it follows the user no matter which workstation they go to. If I create an similar ID with identical groups in the same OU everythings works when the login. It's just this particular user ID which I at one time deleted won't cooperate. The fact that Gpresult shows no group membership and policy applied is N/A makes me curious as to what exactly happened when it was deleted. I can't help but feel there's something sitting on the server that wasn't removed that's causing the problem when I re-use the user name.
0
 
LauraEHunterMVPCommented:
Do you have more than one DC in your environment?  (Please let that answer be "yes.")  

I wonder if the deletion didn't replicate properly and you now have a conflict object in your directory.

Download the adfind utility (www.joeware.net) and search your domain using the following syntax:

adfind -default -f "(CN=*\0ACNF:*)" -dn

See if you have two objects with that user's name in the "CN=" part, where one has that weird "\0ACNF:" string after it.

Also wouldn't hurt to run a netdiag, dcdiag, and repadmin /replsum on your DCs to make sure that replication is working properly.
0
 
lbbcsgAuthor Commented:
Problem resolved, it was due to certain users being inside a Netware policy involving ZenWorks.
0
 
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now