Solved

Windows 2003 Server, deleted user account and SID.

Posted on 2007-03-30
8
807 Views
Last Modified: 2008-05-31
We are running 3 DCs 2003 Server SP2. I created a new user in AD, added them to all the appropriate groups, etc.. We tested login stuff, deleted the account, and later recreated it with the same exact name/spelling.

Now when that user logs in, they get no Login Script, gpresult shows them having no GPOs applied and says this user is not a member of any groups (but AD shows them a member of 6 groups). I tried blowing away the local profile on the workstation, the AD user account, and then also tried migrating the user using Quest software, but it's still the same problem. I've tried gpupdate /force numerous times as well.

I can create any other user name in the same OU and login with everything (scripts, gpos) working, so the problem is only tied to this user name/SID. Is there a way to see the SIDs to delete whatever may be causing this problem? Are there any other solutions? I don't want to change this users login name, it needs to stay the same if at all possible.

Note - when doing a gpresult, under User Settings, it says Group Policy was applied from : N/A, where as Computer Settings show policy was applied from DC2.
0
Comment
Question by:lbbcsg
  • 3
  • 3
8 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825109
If I'm understanding you correctly, you configured a user account with certain group memberships and other configuration items. You then deleted that user account and created a new one with the same name, and are asking why this account did not receive the old user's group memberships and other configurations?

If I am understanding you correctly, what you are seeing is happening by design.  Each Active Directory security principal (user, computer, group object) has a SID attached to it that is unique to that object.  If you delete an object, any new object that you create will have a different SID even if you give the new object the same "friendly name" as the one you deleted.  As far as AD is concerned, this new object is a completely different object from the one that was deleted, and will not retain any group memberships or other configuration information that was configured on the deleted account.

To restore a deleted security principal like a user object so that it retains all of its old group memberships and other configuration details, you need to perform an authoritative restore of that object, as described here:

http://support.microsoft.com/kb/241594

If you only need to restore a single object, Quest also provides a freeware tool to make the process a bit friendlier: http://www.quest.com/object_restore_for_active_directory/

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18825159
I created and used an account (xxxzzz) for login testing. I then deleted the account, only to later recreate it. Once recreated, I put them in the exact same OU/groups as the other users. However, they don't get the policy or group memberships applied when they log in. GPresults shows no group memberships or GPOs applied, even though I can go to the DC and see (xxxzzz) is a member of 6 groups. I can create the same name changing 1 letter (xxxzzz1), put it in the same OU and everything works. It's just this one particular name that I deleted will not work no matter what we do with it.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825199
Is this problem specific to a single workstation?  IE, if you log this user onto another workstation do you see different behaviour?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 2

Author Comment

by:lbbcsg
ID: 18825244
No it follows the user no matter which workstation they go to. If I create an similar ID with identical groups in the same OU everythings works when the login. It's just this particular user ID which I at one time deleted won't cooperate. The fact that Gpresult shows no group membership and policy applied is N/A makes me curious as to what exactly happened when it was deleted. I can't help but feel there's something sitting on the server that wasn't removed that's causing the problem when I re-use the user name.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825393
Do you have more than one DC in your environment?  (Please let that answer be "yes.")  

I wonder if the deletion didn't replicate properly and you now have a conflict object in your directory.

Download the adfind utility (www.joeware.net) and search your domain using the following syntax:

adfind -default -f "(CN=*\0ACNF:*)" -dn

See if you have two objects with that user's name in the "CN=" part, where one has that weird "\0ACNF:" string after it.

Also wouldn't hurt to run a netdiag, dcdiag, and repadmin /replsum on your DCs to make sure that replication is working properly.
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18826167
Problem resolved, it was due to certain users being inside a Netware policy involving ZenWorks.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19338824
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question