Active Directory 2003/Naming information cannot be located because: Access denied.

Is this an issue JUST with his PC?  Try running this from a server domain controller logged in as the same user to see if it runs.

If it is just his PC, check the following:

- DNS entries point to valid Active Directory DNS servers
- Administrative toolset is installed (you can install by running from any servers C:\WINDOWS\SYSTEM32\ADMINPAK.MSI)

Hi jkeegan123,

Thanks for the response.  It's only with one computer.  He has tried reinstalling RSAT (this is a Win7 computer).

We have tried pointing to a valid DNS server and have also tried using DHCP.

It's specific to the user's account.  I can use AD users and computers on his machine.  He can't use it on any machine.

the users AD permissions are?

Check the user's group membership. In order to use ADUC you need to have the appropriate permissions to read objects in Active Directory.

The user is a member of the same groups he was when it worked.  I am assuming this is how permissions are propagated in Active directory, but I'm not an expert at AD.

Is there another way to assign permissions, besides the groups the user is a member of?

Yes. Open ADUC, go to View, select Advanced Features. From there you can right click on any object in AD and check the permissions that are set on the security tab. He may have a deny entry on his account somewhere. You should also be able to use the effective permissions tool in the Advanced security thing.

His effective permissions are exactly like mine.

Is the useruser an administrator?

Same issue if you try to open ie. AD Sites & Services?

The user is an administrator.  

The same error happens when opening AD Sites and Services.

So, just to recap the issue, he can't access ADUC on his computer, but can on others, and other users can access ADUC on his computer, is that correct?

He cannot access it on any machine.  I can access ADUC with my profile on his machine.  It's user id specific.

Does he have a roaming profile?

He is a member of 29 groups and does not have a roaming profile.

Is his account listed specifically in the AD ACLs for the domain?

With you logged on the PC with RSAT open cmd:

runas /user:domain\username "mmc dsa.msc"

(where domain reflect your domain, and username is the name of the user with this problem)

Same issue?


Logged on with the user with this problem:

dsa.msc /domain=domain

dsa.msc /server=DC01.domain.com

Still no luck?





 

When removing groups and condensing down to only the groups he needed, it worked.  One of the groups permissions must have gotten changed.

Well, there is a known issue where if a user is a member of too many groups they can overflow the security token, but that's usually after someone is a member of 120 groups or more. At any rate, glad you got it sorted.

thanks for the help!