Active Directory Issues After DC Loss - SID folder rights wont work

We recently had a system failure. While working with a tool it deleted all users in the users OU. In an attempt to resolve this we attempted to restore from a backup. However, as Unitrends is (in my opinon) a poor product we attempted to restore, just to find out that their directions wrecked the server and cannot be restored now. Good thing we have multiple DCs, but still the effects are frustrating.

Since then I have had to re-create all users that were affected. Now when i am assigning rights, etc I see SID 1-563543-543523-54534 in the access rights box, and it hourglasses for some time. Somtimes they become filled, but most of the time they just appear, with no display name. I know there are the old SIDs associated with the old user acconts. But now I try and add users to folders and other resouces and it cannot locate them.

I have tried unjoining from the domain and rejoining the servers after deleting the profile from AD. We have several Domain Controllers

Can someone recommend a way to resolve this?

Thanks for all your help Experts!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorCommented:
I remember seeing this question already with a response, is this a duplicate?

If it is you should delete this one and go off the other.

If not:
when a user is deleted and recreated even if all account details are the same the SID will be different so what you are seeing is the SIDs for the old accounts.  It is hour glassing for a while because it is trying to locate the usernames associated with the SIDs and when it is unable to find them it will just show the SID.  You should delete any SID that shows in an ACL on a file  (this will speed up the load process when looking at file permissions).

Since it is unable to locate the new user accounts you need to check you AD replication and make sure these accounts exist on all DCs in the network.  Use replmon to check replication.  If you find a user does not exist on one or more of the DCs but exists on others then you have a replication issue that needs to be addressed (eventlog will give clues to the source of the problem).

As a side note:
The best practice for assigning permissions is to use groups this way if you have 100 files that user A has access to you can put user A in group 1 and assign group 1 permissions on the 100 files.  Then if user A gets deleted and recreated you just have to readd user A to group 1 and everything else is done by windows.  Groups just make managing permissions much easier.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Majo2469Author Commented:
Thank you for the response. I have been setting them up as group related security instead of user based for security permissions. I am now faced with removing the DC profile from AD. Any recommendations on how to do that? (or is that a new thread)

Thank You!
Majo2469Author Commented:
Answered my own question - After some reseach a found an easy walk-through for performing this action.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.