Weird NTFS permissions issue
- I have a server 2008 x64 fileserver that is domain bound. I am attempting to put ntfs permissions on various file stores. When i try to add the group 'domain users' the group resolves in the security tab, but when i click ok it shows in the group window as 'None\(Servername\None). This is the only group that this appears to happen with. The server can see the domain controller without any problems that i can find. The users appear to have the appropriate access levels, but this group won't resolve correctly. Any one have any ideas?
Réponses
Hi Russell,
Thanks for your reply.
Based on the research on the screenshot, I have some questions need to ask you.
1. I have noticed that there are 3 domain (ADTX, ADCA, CAFP) existing in your system environment, could you please tell me what is trust relationship among them?
2. Please also tell us which domain does the problematic file server belong to?
3. I wonder if that problematic file server was restored from a same image that was cloned on another existing member server in your domain. If this is true, the Weird NTFS permission can occurs due to the reason that two of the computer object have the same SID in the domain.
You may check the computers’ SID by this using psgetsid.exe, you can directly run it in the command line prompt on that 2 servers to check if the SID is the same.
PsGetSid v1.43
http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
If this is the case, we should use utilities like NewSID for that cloned problematic file server to generate new SIDs
NewSID v4.10
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx
Please run the above utility on that file server and then check if the issue can be fixed.
If the issue still exists, I suggest you disjoin the file server and rejoin it to the domain again.
Hope this can be helpful.
This posting is provided "AS IS" with no warranties, and confers no rights.- Marqué comme réponseRussell Reid dimanche 12 juillet 2009 13:57
Toutes les réponses
Hello Rusell,
To investigate the issue, please check Group Scope and Group Type of that problematic group in Active Directory Users and Computers snap-in and tell us the result.
As you said this group won’t resolve correctly, do you select the group based on the following criteria?
Object Types: Users, Groups, or Built-in security principals
From this location: Entire Directory
Can the group be resolved in the above search criteria? If not, please check whether that group exists in AD or not.
If possible, please take screenshot when the issue occurs, and then send us via tfwst@microsoft.com
Please elaborate more in detailed within the mail.
Thank you for the co-operation.
This posting is provided "AS IS" with no warranties, and confers no rights.Hi Russell,
I’d like to check how things are going. Did you have the chance to try the troubleshooting steps? If you have any other questions, please do not hesitate to let me know. I look forward to your further updates.
This posting is provided "AS IS" with no warranties, and confers no rights.Hi Russell,
Thanks for your reply.
Based on the research on the screenshot, I have some questions need to ask you.
1. I have noticed that there are 3 domain (ADTX, ADCA, CAFP) existing in your system environment, could you please tell me what is trust relationship among them?
2. Please also tell us which domain does the problematic file server belong to?
3. I wonder if that problematic file server was restored from a same image that was cloned on another existing member server in your domain. If this is true, the Weird NTFS permission can occurs due to the reason that two of the computer object have the same SID in the domain.
You may check the computers’ SID by this using psgetsid.exe, you can directly run it in the command line prompt on that 2 servers to check if the SID is the same.
PsGetSid v1.43
http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
If this is the case, we should use utilities like NewSID for that cloned problematic file server to generate new SIDs
NewSID v4.10
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx
Please run the above utility on that file server and then check if the issue can be fixed.
If the issue still exists, I suggest you disjoin the file server and rejoin it to the domain again.
Hope this can be helpful.
This posting is provided "AS IS" with no warranties, and confers no rights.- Marqué comme réponseRussell Reid dimanche 12 juillet 2009 13:57
- Actually the three domains are all in the same forest adtx.idibri.com, adca.idibri.com, and idibri.com. CAFP is the file server in the ADCA domain. Native Server 2008 running at server 2008 functional level both forest and domains. I will check on the SIDs on the servers to see if they are the same.
- Wow, you called that one. My file server I had three servers with the same SID. I am in the process of changing those on two of the servers. Wonder if this was contributing to a couple of other vexing problems that i have had. I will check those out after i am done.
So much for time saving when you clone. I guess i forgot to check the box that says 'Generate new SID'.
