[Webinar] Streamline your web hosting managementRegister Today


Active Directory Issues After DC Loss - SID folder rights wont work

Posted on 2010-04-08
Medium Priority
Last Modified: 2012-05-09
We recently had a system failure. While working with a tool it deleted all users in the users OU. In an attempt to resolve this we attempted to restore from a backup. However, as Unitrends is (in my opinon) a poor product we attempted to restore, just to find out that their directions wrecked the server and cannot be restored now. Good thing we have multiple DCs, but still the effects are frustrating.

Since then I have had to re-create all users that were affected. Now when i am assigning rights, etc I see SID 1-563543-543523-54534 in the access rights box, and it hourglasses for some time. Somtimes they become filled, but most of the time they just appear, with no display name. I know there are the old SIDs associated with the old user acconts. But now I try and add users to folders and other resouces and it cannot locate them.

I have tried unjoining from the domain and rejoining the servers after deleting the profile from AD. We have several Domain Controllers

Can someone recommend a way to resolve this?

Thanks for all your help Experts!
Question by:Majo2469
  • 2
LVL 23

Accepted Solution

Erik Bjers earned 2000 total points
ID: 30337896
I remember seeing this question already with a response, is this a duplicate?

If it is you should delete this one and go off the other.

If not:
when a user is deleted and recreated even if all account details are the same the SID will be different so what you are seeing is the SIDs for the old accounts.  It is hour glassing for a while because it is trying to locate the usernames associated with the SIDs and when it is unable to find them it will just show the SID.  You should delete any SID that shows in an ACL on a file  (this will speed up the load process when looking at file permissions).

Since it is unable to locate the new user accounts you need to check you AD replication and make sure these accounts exist on all DCs in the network.  Use replmon to check replication.  If you find a user does not exist on one or more of the DCs but exists on others then you have a replication issue that needs to be addressed (eventlog will give clues to the source of the problem).

As a side note:
The best practice for assigning permissions is to use groups this way if you have 100 files that user A has access to you can put user A in group 1 and assign group 1 permissions on the 100 files.  Then if user A gets deleted and recreated you just have to readd user A to group 1 and everything else is done by windows.  Groups just make managing permissions much easier.


Author Comment

ID: 30511123
Thank you for the response. I have been setting them up as group related security instead of user based for security permissions. I am now faced with removing the DC profile from AD. Any recommendations on how to do that? (or is that a new thread)

Thank You!

Author Comment

ID: 30517032
Answered my own question - After some reseach a found an easy walk-through for performing this action.



Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question