[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2549
  • Last Modified:

Active Directory 2003/Naming information cannot be located because: Access denied.

A co-worker of mine is trying to open "Active directory users and computers" and is getting this error-  "Naming information cannot be located because: Access denied."  This started yesterday.  We tried taking his computer off the domain and readding it.  
0
drj003
Asked:
drj003
  • 9
  • 6
  • 3
  • +2
1 Solution
 
jkeegan123Commented:
Is this an issue JUST with his PC?  Try running this from a server domain controller logged in as the same user to see if it runs.

If it is just his PC, check the following:

- DNS entries point to valid Active Directory DNS servers
- Administrative toolset is installed (you can install by running from any servers C:\WINDOWS\SYSTEM32\ADMINPAK.MSI)
0
 
drj003Author Commented:
Hi jkeegan123,

Thanks for the response.  It's only with one computer.  He has tried reinstalling RSAT (this is a Win7 computer).

We have tried pointing to a valid DNS server and have also tried using DHCP.
0
 
drj003Author Commented:
It's specific to the user's account.  I can use AD users and computers on his machine.  He can't use it on any machine.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
maxxmyerCommented:
the users AD permissions are?
0
 
Adam BrownSr Solutions ArchitectCommented:
Check the user's group membership. In order to use ADUC you need to have the appropriate permissions to read objects in Active Directory.
0
 
drj003Author Commented:
The user is a member of the same groups he was when it worked.  I am assuming this is how permissions are propagated in Active directory, but I'm not an expert at AD.

Is there another way to assign permissions, besides the groups the user is a member of?
0
 
Adam BrownSr Solutions ArchitectCommented:
Yes. Open ADUC, go to View, select Advanced Features. From there you can right click on any object in AD and check the permissions that are set on the security tab. He may have a deny entry on his account somewhere. You should also be able to use the effective permissions tool in the Advanced security thing.
0
 
drj003Author Commented:
His effective permissions are exactly like mine.
0
 
jkeegan123Commented:
Is the useruser an administrator?
0
 
snusgubbenCommented:
Same issue if you try to open ie. AD Sites & Services?
0
 
drj003Author Commented:
The user is an administrator.  

The same error happens when opening AD Sites and Services.
0
 
Adam BrownSr Solutions ArchitectCommented:
So, just to recap the issue, he can't access ADUC on his computer, but can on others, and other users can access ADUC on his computer, is that correct?
0
 
drj003Author Commented:
He cannot access it on any machine.  I can access ADUC with my profile on his machine.  It's user id specific.
0
 
Adam BrownSr Solutions ArchitectCommented:
How many groups is he a member of?
0
 
snusgubbenCommented:
Does he have a roaming profile?
0
 
drj003Author Commented:
He is a member of 29 groups and does not have a roaming profile.
0
 
Adam BrownSr Solutions ArchitectCommented:
Is his account listed specifically in the AD ACLs for the domain?
0
 
snusgubbenCommented:
With you logged on the PC with RSAT open cmd:

runas /user:domain\username "mmc dsa.msc"

(where domain reflect your domain, and username is the name of the user with this problem)

Same issue?


Logged on with the user with this problem:

dsa.msc /domain=domain

dsa.msc /server=DC01.domain.com

Still no luck?





 
0
 
drj003Author Commented:
When removing groups and condensing down to only the groups he needed, it worked.  One of the groups permissions must have gotten changed.
0
 
Adam BrownSr Solutions ArchitectCommented:
Well, there is a known issue where if a user is a member of too many groups they can overflow the security token, but that's usually after someone is a member of 120 groups or more. At any rate, glad you got it sorted.
0
 
drj003Author Commented:
thanks for the help!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 9
  • 6
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now