Deployed 7 - User can't access files from Server2003

[paperfist]

Hey fellas

Any help would be appreciated.

This is for a domain environment.
Took down users computer running XP.
Disjoined it from the server.
Installed 7 with same user/computer name. (Stupid?)
Mapped out network drive to Win2003Server and had loads of problems.
Go it working by stripping out some security.
Now I can't access users files on server as I get 'permission denied' error.
Actually got a few files to work, but 99% deny me.
-----

For file permissions there's an unknown user listed which is a string of numbers and dashes. Like: S-1-521-25028722, etc)
I took control as admin of users files, closed out and reassigned it back to user. No dice.

-----

Strange issues: can't ping the machine by name, can ping it by IP.
It doesn't have a DNS entry under computer management and I don't know how to fix that.

Not getting any event viewer issues on the server side. Getting some Logon ones on the client about possible duplicate computers.

Any ideas? Thanks!

 

[seepy83]

Since you named the new Win7 install the same name as the previous XP one, did you delete the old Computer account from AD?

Did you join the computer to the domain after installing Win7?

 

[paperfist]

Since you named the new Win7 install the same name as the previous XP one, did you delete the old Computer account from AD?

Did you join the computer to the domain after installing Win7?

Yes deleted the computer and user account from AD before I took down XP.

Yes, maybe this isn't correct, but I went into AD and added the user account and computer, then boot up client machine and connected it to the domain.

 

[seepy83]

I'm not sure why you would delete a user from AD. Nothing you're trying to accomplish requires a User to be deleted.

Just to be clear, since it doesn't sound like you really know what you're doing, you went through steps similar to the screenshots on this page and actually joined the PC to the domain, right? http://www.petri.co.il/join-a-domain-in-windows-7.htm You didn't just create an account for the PC in AD and then leave the computer as a member of a workground, right?

 

[paperfist]

I'm not sure why you would delete a user from AD. Nothing you're trying to accomplish requires a User to be deleted.

Just to be clear, since it doesn't sound like you really know what you're doing, you went through steps similar to the screenshots on this page and actually joined the PC to the domain, right? http://www.petri.co.il/join-a-domain-in-windows-7.htm You didn't just create an account for the PC in AD and then leave the computer as a member of a workground, right?

Yepp that's exactly what I did to join Win7Enterprise machine to the server. The Win7 machine has a domain account, not a workgroup or local account. It connects and authenticates fine to the server according to the security event logs.

 

[seepy83]

Alright so back to your original post. What are the Share and NTFS permissions on the folder/files you're trying to access? If you're being denied because of permissions, then it has to be producing logs on the file server you're trying to access. Please check the event logs again and post details of the failure audits. If you really don't have anything in the security log, then you may need to turn on some audit logging that isn't turned on.

You got a few files to work, but 99% deny you? compare the Share and NTFS permissions on those files to the rest of them.

The Unknown SID that's listed on the permissions is possibly the User account that you deleted when you deleted the old Computer Account. You could try assigning the same permissions that the unknown SID has to the account that you're trying to access the folder from.

Correctly assigning Share and NTFS permissions on a file/folder is pretty straight forward if you have either been taught how to do it or read the Microsoft documentation to learn how to do it properly.

The User Account that you deleted might have been a member of a Security Group that your new user is not a member of, and that group might have been used to assign permissions on the files/folders in questions.

You can also use the GUI on the server to view the effective permissions for the user account and possibly find out what the problem is. http://technet.microsoft.com/en-us/library/cc758822(WS.10).aspx


You can't ping the machine by name, but you can by IP? I assume you have AD-integrated DNS, and you have a windows server that's supplying DHCP. Is your DHCP server configured to perform DNS dynamic updates? What are the results of doing an nslookup for the machine vs what you know the IP to be?

 

[Skud]

Just briefly scanned the thread, but looks to me like your problem is that you deleted the user account and then re-created another user with the same name expecting everything to be just like the old account.

In AD, accounts are not identified by the user name, but the SID. That's what you're seeing with the long number/letters in the permissions list - it's the SID of the old user. The NEW user with the same name and as far as AD is concerned, that's a completely new, different user.

Also, did you actually re-add the computer account manually? Like did you go into AD and create a new computer? You don't need to do that and that will require extra steps to get the computer and DCs talking.

What I suggest you do:

1) Re-remove the PC from the domain
2) Delete the computer account from AD
3) Wait 5 minutes or so.
4) Re-join the PC to the domain. It will create a computer account for you with all the right trusts and passwords on the computer account.

Since you've deleted the original user account you can't get it back anymore without a lot of work. So, you will have to go through and reset all the permissions for the user.

Riley

 

[paperfist]

I don't have access to the client/server atm, but I was reading up on restoring deleted AD objects from here: http://www.petri.co.il/recovering-deleted-items-active-directory.htm

There's a couple of GUI tools at the end that make the process look easy. Since there's only one deleted user and it only happened 7 days ago that doesn't seem like a bad option to explorer provided I do a backup first.

Has anyone gone through the tombstone process before? I'm just wondering if I delete the current user account and bring back the original tombstone if I'm going to have SID issues?

 

[seepy83]

Yes, I have restored Tombstoned objects in AD before, but only in a lab/test environment. I've never done it using any of the 3rd party tools that are on the site you linked it, so I can't speak towards any of them.

Who built the AD environment that you're working on? If you don't know how to create a new user account that has the same permissions as the one you deleted, chances are that they would be able to help you.

Can you restore the old account and make it work? Probably...but I consider that a last restort in a production environment.

You shouldn't have any SID issues if you restore the Tombstoned account. The SID of the old account and the new one that you created with the same name will be different.

Also, I wouldn't recommend making a backup of AD, messing around with Tombstoned objects, and then just restoring from your backup if something stops working. Restoring AD from a backup is something that should only be done in test labs or disaster recovery scenarios (IMO).

 

[paperfist]

Alright so back to your original post. What are the Share and NTFS permissions on the folder/files you're trying to access? If you're being denied because of permissions, then it has to be producing logs on the file server you're trying to access. Please check the event logs again and post details of the failure audits. If you really don't have anything in the security log, then you may need to turn on some audit logging that isn't turned on.

You got a few files to work, but 99% deny you? compare the Share and NTFS permissions on those files to the rest of them.

The Unknown SID that's listed on the permissions is possibly the User account that you deleted when you deleted the old Computer Account. You could try assigning the same permissions that the unknown SID has to the account that you're trying to access the folder from.

Correctly assigning Share and NTFS permissions on a file/folder is pretty straight forward if you have either been taught how to do it or read the Microsoft documentation to learn how to do it properly.

The User Account that you deleted might have been a member of a Security Group that your new user is not a member of, and that group might have been used to assign permissions on the files/folders in questions.

You can also use the GUI on the server to view the effective permissions for the user account and possibly find out what the problem is. http://technet.microsoft.com/en-us/library/cc758822(WS.10).aspx


You can't ping the machine by name, but you can by IP? I assume you have AD-integrated DNS, and you have a windows server that's supplying DHCP. Is your DHCP server configured to perform DNS dynamic updates? What are the results of doing an nslookup for the machine vs what you know the IP to be?

There's netlogon errors on the client side, none on the server side. At least nothing from now till a week ago when I made the change over.

Permissions are set to full control for the user account along with her original SID. I assigned ownership to her new user account but that isn't helping. The files I can open from the client have the same permissions set as the ones I can't open which is perplexing.

The account wasn't assigned to a security group.

Dynamic updates is set to secure only.

nslookup makes for an interesting read. Machine is on x.x.x.18 which is what the original machine was listed as. To ping it/connect to it it's on x.x.x.4

Yes, I have restored Tombstoned objects in AD before, but only in a lab/test environment. I've never done it using any of the 3rd party tools that are on the site you linked it, so I can't speak towards any of them.

Who built the AD environment that you're working on? If you don't know how to create a new user account that has the same permissions as the one you deleted, chances are that they would be able to help you.

Can you restore the old account and make it work? Probably...but I consider that a last restort in a production environment.

You shouldn't have any SID issues if you restore the Tombstoned account. The SID of the old account and the new one that you created with the same name will be different.

Also, I wouldn't recommend making a backup of AD, messing around with Tombstoned objects, and then just restoring from your backup if something stops working. Restoring AD from a backup is something that should only be done in test labs or disaster recovery scenarios (IMO).

That's the biggest problem, there's been so many different IT people/firms working on this that I have no idea who did what. I'm obviously not a server guy so that doesn't help either

Well I need to figure out something, she has a lot of files she needs access to. It looks like this is somehow a DNS issues, but not sure how to attack it.

Also, there's 7 other users with the same permission sets. So I can use that as a reference, but permissions don't seem to be the issue. If I set a user to have full control & ownership of files then they should be able to access them no problem, but they can't.