Solved

Windows 2003 Server, deleted user account and SID.

Posted on 2007-03-30
8
804 Views
Last Modified: 2008-05-31
We are running 3 DCs 2003 Server SP2. I created a new user in AD, added them to all the appropriate groups, etc.. We tested login stuff, deleted the account, and later recreated it with the same exact name/spelling.

Now when that user logs in, they get no Login Script, gpresult shows them having no GPOs applied and says this user is not a member of any groups (but AD shows them a member of 6 groups). I tried blowing away the local profile on the workstation, the AD user account, and then also tried migrating the user using Quest software, but it's still the same problem. I've tried gpupdate /force numerous times as well.

I can create any other user name in the same OU and login with everything (scripts, gpos) working, so the problem is only tied to this user name/SID. Is there a way to see the SIDs to delete whatever may be causing this problem? Are there any other solutions? I don't want to change this users login name, it needs to stay the same if at all possible.

Note - when doing a gpresult, under User Settings, it says Group Policy was applied from : N/A, where as Computer Settings show policy was applied from DC2.
0
Comment
Question by:lbbcsg
  • 3
  • 3
8 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825109
If I'm understanding you correctly, you configured a user account with certain group memberships and other configuration items. You then deleted that user account and created a new one with the same name, and are asking why this account did not receive the old user's group memberships and other configurations?

If I am understanding you correctly, what you are seeing is happening by design.  Each Active Directory security principal (user, computer, group object) has a SID attached to it that is unique to that object.  If you delete an object, any new object that you create will have a different SID even if you give the new object the same "friendly name" as the one you deleted.  As far as AD is concerned, this new object is a completely different object from the one that was deleted, and will not retain any group memberships or other configuration information that was configured on the deleted account.

To restore a deleted security principal like a user object so that it retains all of its old group memberships and other configuration details, you need to perform an authoritative restore of that object, as described here:

http://support.microsoft.com/kb/241594

If you only need to restore a single object, Quest also provides a freeware tool to make the process a bit friendlier: http://www.quest.com/object_restore_for_active_directory/

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18825159
I created and used an account (xxxzzz) for login testing. I then deleted the account, only to later recreate it. Once recreated, I put them in the exact same OU/groups as the other users. However, they don't get the policy or group memberships applied when they log in. GPresults shows no group memberships or GPOs applied, even though I can go to the DC and see (xxxzzz) is a member of 6 groups. I can create the same name changing 1 letter (xxxzzz1), put it in the same OU and everything works. It's just this one particular name that I deleted will not work no matter what we do with it.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825199
Is this problem specific to a single workstation?  IE, if you log this user onto another workstation do you see different behaviour?
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18825244
No it follows the user no matter which workstation they go to. If I create an similar ID with identical groups in the same OU everythings works when the login. It's just this particular user ID which I at one time deleted won't cooperate. The fact that Gpresult shows no group membership and policy applied is N/A makes me curious as to what exactly happened when it was deleted. I can't help but feel there's something sitting on the server that wasn't removed that's causing the problem when I re-use the user name.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825393
Do you have more than one DC in your environment?  (Please let that answer be "yes.")  

I wonder if the deletion didn't replicate properly and you now have a conflict object in your directory.

Download the adfind utility (www.joeware.net) and search your domain using the following syntax:

adfind -default -f "(CN=*\0ACNF:*)" -dn

See if you have two objects with that user's name in the "CN=" part, where one has that weird "\0ACNF:" string after it.

Also wouldn't hurt to run a netdiag, dcdiag, and repadmin /replsum on your DCs to make sure that replication is working properly.
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18826167
Problem resolved, it was due to certain users being inside a Netware policy involving ZenWorks.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19338824
PAQed with points refunded (500)

Computer101
EE Admin
0

Join & Write a Comment

Suggested Solutions

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now