Security Permisson Problems with Active Directory User Account

cdhead
cdhead used Ask the Experts™
on
I seem to be having some security permission problems with a specific AD user account on my domain.  I have been able to isolate the problem to this one user.  I have had similar problems with other domains in the past but a delete/recreation of the account has always fixed the problem, but this time it doesn't.  Could there be any remnants of the SID that are affecting my security permissions?  I don't seem to be having any AD replication problems, and all other accounts i create using the same group objects work perfectly fine.  There also don't seem to be and Deny permissions that are over riding this account.  I've spent about 8 hours on this and it is rare that i have a problem on this scale.  Any idea's what could be following this user account around and preventing access to some of my network folders even after a deletion?  Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
How many servers do you have? Is the user part of any groups?
How many servers do you have? Is the user part of any groups?

Author

Commented:
Update:
I just "fixed" the problem.  I copied an account that was working and that did it, but i'm still concerned there could be a problem.  What is different in the creation process of a deleted account with the same name vs copying another account and giving it the same name?
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
The difference is in group membership. Creating a new user puts the user in the Domain Users group and that's about it. Copying a user and renaming it copies over all group memberships as well.

Author

Commented:
Another Update:
So on Friday, after i copied a working account (membership assigned by copying equal to membership I manually assigned when i created it from scratch) i now had the proper write permissions.  Now today, it does not.  I'm starting to wonder if there is some sort of weird active directory replication problem going on.  I can't find any issues at this point, but i know the problem is isolated to one specific account and one specific volume.  Could NTFS issues also be at play?  I ran a chkdsk, received 0 errors, but i had some strange delays with the results.
Did you check the security log on the server for any clues?

Strange issues like that can happen when the user is a member of too many groups, and the security token gets too large. Usually results in seamingly inconsistent permissions (access to some folders works, not for others.). So if the user is a member of a lot of groups (don't forget nested ones!) you may want to try and remove some groups.

Also something worth trying: http://support.microsoft.com/kb/244474

And last but not least: Make sure the clocks in your organization are synchronized, if they are not you may get access denied problems.

Author

Commented:
I cannot find anything pointing to a problem in the system logs, although there is an overwhelming amount of info, and i could be missing something.  The user is only a member of a couple groups, no more than anyone else, so i don't believe that is the problem.  Also, if it were related to some sort of group membership issue, it should have been resolved when i deleted\recreated the account with only the basic group membership.  I looked at the ms article, and that doesn't seem to be related to my issue.  I did verify all my AD servers are still synced with my NTP server.  All good suggestions, but I'm still at a loss.

Hmmm... did you look at the "effective permissions" for that account? This is not really realiable, but it may give a clue.

This is probably a stupid suggestion, but sometimes we overlook the most basic stuff (and it doesn't  fit your description, but just to cover all bases):The permissions on the actual share (not NTFS) do allow this account to write, right?

You also may want to try to reset the NTFS on one of the folders to see if it makes a difference. Clear out all permissions, click apply, and then put everything back in. Also check for Deny permissions that may be set on a top-level folder. However all this is rather unlikely if you only use groups. You can also try assigning permissions to the account directly and see if it makes a difference, at least to narrow it down some more.

Last thing to check: Is the user really a member of those groups. Once logged on, run "whoami /groups" and see it all groups are there.

Author

Commented:
So it would seem that i am either going insane or someone is play games with me.  Before i saw your post i went ahead and created another test account and i had the same problem again.  I then realized that i was missing the group membership from the share write permissions.  What is crazy is that when i began this whole process i swear the group was in the share properties, same as all other groups, but it was not.  What is even crazier is that i was able to get one of these accounts (that wasn't listed in the share properties) to initially work.  A couple days later it didn't work anymore.  There is only one other person who has access to this, so unless he changed something on me, i don't know what to say.  I appreciate the effort and nonetheless, you were correct in your assessment.  Thanks for following through!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial