cdhead
asked on
Security Permisson Problems with Active Directory User Account
I seem to be having some security permission problems with a specific AD user account on my domain. I have been able to isolate the problem to this one user. I have had similar problems with other domains in the past but a delete/recreation of the account has always fixed the problem, but this time it doesn't. Could there be any remnants of the SID that are affecting my security permissions? I don't seem to be having any AD replication problems, and all other accounts i create using the same group objects work perfectly fine. There also don't seem to be and Deny permissions that are over riding this account. I've spent about 8 hours on this and it is rare that i have a problem on this scale. Any idea's what could be following this user account around and preventing access to some of my network folders even after a deletion? Thanks
Jei-Kanchanawong
How many servers do you have? Is the user part of any groups?
How many servers do you have? Is the user part of any groups?
ASKER
Update:
I just "fixed" the problem. I copied an account that was working and that did it, but i'm still concerned there could be a problem. What is different in the creation process of a deleted account with the same name vs copying another account and giving it the same name?
I just "fixed" the problem. I copied an account that was working and that did it, but i'm still concerned there could be a problem. What is different in the creation process of a deleted account with the same name vs copying another account and giving it the same name?
The difference is in group membership. Creating a new user puts the user in the Domain Users group and that's about it. Copying a user and renaming it copies over all group memberships as well.
ASKER
Another Update:
So on Friday, after i copied a working account (membership assigned by copying equal to membership I manually assigned when i created it from scratch) i now had the proper write permissions. Now today, it does not. I'm starting to wonder if there is some sort of weird active directory replication problem going on. I can't find any issues at this point, but i know the problem is isolated to one specific account and one specific volume. Could NTFS issues also be at play? I ran a chkdsk, received 0 errors, but i had some strange delays with the results.
So on Friday, after i copied a working account (membership assigned by copying equal to membership I manually assigned when i created it from scratch) i now had the proper write permissions. Now today, it does not. I'm starting to wonder if there is some sort of weird active directory replication problem going on. I can't find any issues at this point, but i know the problem is isolated to one specific account and one specific volume. Could NTFS issues also be at play? I ran a chkdsk, received 0 errors, but i had some strange delays with the results.
Did you check the security log on the server for any clues?
Strange issues like that can happen when the user is a member of too many groups, and the security token gets too large. Usually results in seamingly inconsistent permissions (access to some folders works, not for others.). So if the user is a member of a lot of groups (don't forget nested ones!) you may want to try and remove some groups.
Also something worth trying: http://support.microsoft.com/kb/244474
And last but not least: Make sure the clocks in your organization are synchronized, if they are not you may get access denied problems.
Strange issues like that can happen when the user is a member of too many groups, and the security token gets too large. Usually results in seamingly inconsistent permissions (access to some folders works, not for others.). So if the user is a member of a lot of groups (don't forget nested ones!) you may want to try and remove some groups.
Also something worth trying: http://support.microsoft.com/kb/244474
And last but not least: Make sure the clocks in your organization are synchronized, if they are not you may get access denied problems.
ASKER
I cannot find anything pointing to a problem in the system logs, although there is an overwhelming amount of info, and i could be missing something. The user is only a member of a couple groups, no more than anyone else, so i don't believe that is the problem. Also, if it were related to some sort of group membership issue, it should have been resolved when i deleted\recreated the account with only the basic group membership. I looked at the ms article, and that doesn't seem to be related to my issue. I did verify all my AD servers are still synced with my NTP server. All good suggestions, but I'm still at a loss.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So it would seem that i am either going insane or someone is play games with me. Before i saw your post i went ahead and created another test account and i had the same problem again. I then realized that i was missing the group membership from the share write permissions. What is crazy is that when i began this whole process i swear the group was in the share properties, same as all other groups, but it was not. What is even crazier is that i was able to get one of these accounts (that wasn't listed in the share properties) to initially work. A couple days later it didn't work anymore. There is only one other person who has access to this, so unless he changed something on me, i don't know what to say. I appreciate the effort and nonetheless, you were correct in your assessment. Thanks for following through!