Solved

Windows 2003 Server, deleted user account and SID.

Posted on 2007-03-30
8
808 Views
Last Modified: 2008-05-31
We are running 3 DCs 2003 Server SP2. I created a new user in AD, added them to all the appropriate groups, etc.. We tested login stuff, deleted the account, and later recreated it with the same exact name/spelling.

Now when that user logs in, they get no Login Script, gpresult shows them having no GPOs applied and says this user is not a member of any groups (but AD shows them a member of 6 groups). I tried blowing away the local profile on the workstation, the AD user account, and then also tried migrating the user using Quest software, but it's still the same problem. I've tried gpupdate /force numerous times as well.

I can create any other user name in the same OU and login with everything (scripts, gpos) working, so the problem is only tied to this user name/SID. Is there a way to see the SIDs to delete whatever may be causing this problem? Are there any other solutions? I don't want to change this users login name, it needs to stay the same if at all possible.

Note - when doing a gpresult, under User Settings, it says Group Policy was applied from : N/A, where as Computer Settings show policy was applied from DC2.
0
Comment
Question by:lbbcsg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825109
If I'm understanding you correctly, you configured a user account with certain group memberships and other configuration items. You then deleted that user account and created a new one with the same name, and are asking why this account did not receive the old user's group memberships and other configurations?

If I am understanding you correctly, what you are seeing is happening by design.  Each Active Directory security principal (user, computer, group object) has a SID attached to it that is unique to that object.  If you delete an object, any new object that you create will have a different SID even if you give the new object the same "friendly name" as the one you deleted.  As far as AD is concerned, this new object is a completely different object from the one that was deleted, and will not retain any group memberships or other configuration information that was configured on the deleted account.

To restore a deleted security principal like a user object so that it retains all of its old group memberships and other configuration details, you need to perform an authoritative restore of that object, as described here:

http://support.microsoft.com/kb/241594

If you only need to restore a single object, Quest also provides a freeware tool to make the process a bit friendlier: http://www.quest.com/object_restore_for_active_directory/

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18825159
I created and used an account (xxxzzz) for login testing. I then deleted the account, only to later recreate it. Once recreated, I put them in the exact same OU/groups as the other users. However, they don't get the policy or group memberships applied when they log in. GPresults shows no group memberships or GPOs applied, even though I can go to the DC and see (xxxzzz) is a member of 6 groups. I can create the same name changing 1 letter (xxxzzz1), put it in the same OU and everything works. It's just this one particular name that I deleted will not work no matter what we do with it.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825199
Is this problem specific to a single workstation?  IE, if you log this user onto another workstation do you see different behaviour?
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 2

Author Comment

by:lbbcsg
ID: 18825244
No it follows the user no matter which workstation they go to. If I create an similar ID with identical groups in the same OU everythings works when the login. It's just this particular user ID which I at one time deleted won't cooperate. The fact that Gpresult shows no group membership and policy applied is N/A makes me curious as to what exactly happened when it was deleted. I can't help but feel there's something sitting on the server that wasn't removed that's causing the problem when I re-use the user name.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18825393
Do you have more than one DC in your environment?  (Please let that answer be "yes.")  

I wonder if the deletion didn't replicate properly and you now have a conflict object in your directory.

Download the adfind utility (www.joeware.net) and search your domain using the following syntax:

adfind -default -f "(CN=*\0ACNF:*)" -dn

See if you have two objects with that user's name in the "CN=" part, where one has that weird "\0ACNF:" string after it.

Also wouldn't hurt to run a netdiag, dcdiag, and repadmin /replsum on your DCs to make sure that replication is working properly.
0
 
LVL 2

Author Comment

by:lbbcsg
ID: 18826167
Problem resolved, it was due to certain users being inside a Netware policy involving ZenWorks.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19338824
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question