drj003
asked on
Active Directory 2003/Naming information cannot be located because: Access denied.
A co-worker of mine is trying to open "Active directory users and computers" and is getting this error- "Naming information cannot be located because: Access denied." This started yesterday. We tried taking his computer off the domain and readding it.
ASKER
Hi jkeegan123,
Thanks for the response. It's only with one computer. He has tried reinstalling RSAT (this is a Win7 computer).
We have tried pointing to a valid DNS server and have also tried using DHCP.
Thanks for the response. It's only with one computer. He has tried reinstalling RSAT (this is a Win7 computer).
We have tried pointing to a valid DNS server and have also tried using DHCP.
ASKER
It's specific to the user's account. I can use AD users and computers on his machine. He can't use it on any machine.
the users AD permissions are?
Check the user's group membership. In order to use ADUC you need to have the appropriate permissions to read objects in Active Directory.
ASKER
The user is a member of the same groups he was when it worked. I am assuming this is how permissions are propagated in Active directory, but I'm not an expert at AD.
Is there another way to assign permissions, besides the groups the user is a member of?
Is there another way to assign permissions, besides the groups the user is a member of?
Yes. Open ADUC, go to View, select Advanced Features. From there you can right click on any object in AD and check the permissions that are set on the security tab. He may have a deny entry on his account somewhere. You should also be able to use the effective permissions tool in the Advanced security thing.
ASKER
His effective permissions are exactly like mine.
Is the useruser an administrator?
Same issue if you try to open ie. AD Sites & Services?
ASKER
The user is an administrator.
The same error happens when opening AD Sites and Services.
The same error happens when opening AD Sites and Services.
So, just to recap the issue, he can't access ADUC on his computer, but can on others, and other users can access ADUC on his computer, is that correct?
ASKER
He cannot access it on any machine. I can access ADUC with my profile on his machine. It's user id specific.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does he have a roaming profile?
ASKER
He is a member of 29 groups and does not have a roaming profile.
Is his account listed specifically in the AD ACLs for the domain?
With you logged on the PC with RSAT open cmd:
runas /user:domain\username "mmc dsa.msc"
(where domain reflect your domain, and username is the name of the user with this problem)
Same issue?
Logged on with the user with this problem:
dsa.msc /domain=domain
dsa.msc /server=DC01.domain.com
Still no luck?
runas /user:domain\username "mmc dsa.msc"
(where domain reflect your domain, and username is the name of the user with this problem)
Same issue?
Logged on with the user with this problem:
dsa.msc /domain=domain
dsa.msc /server=DC01.domain.com
Still no luck?
ASKER
When removing groups and condensing down to only the groups he needed, it worked. One of the groups permissions must have gotten changed.
Well, there is a known issue where if a user is a member of too many groups they can overflow the security token, but that's usually after someone is a member of 120 groups or more. At any rate, glad you got it sorted.
ASKER
thanks for the help!
If it is just his PC, check the following:
- DNS entries point to valid Active Directory DNS servers
- Administrative toolset is installed (you can install by running from any servers C:\WINDOWS\SYSTEM32\ADMINP