Re: Problems with giving the Domain Users group access to folders

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/30/04 

Date: Fri, 30 Jul 2004 19:27:24 GMT

You certainly don't want to have computers with the same sid. SysInternals explains
this and how to remedy it as shown in the link below.

http://www.sysinternals.com/ntw2k/source/newsid.shtml
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- displays sids for a
computer or local user

The Event ID's. for 8021 and 8032 are usually caused by a master browser being
multihomed. The fsmo pdc for the domain is usually the master domain browser and it
is multihomed or used as a rras server [virtual adapter even if it has one nic] you
can get those errors and experience problems with the browse list.

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q135/4/04.asp&NoWebContent=1

Any fatal error is not good with netdiag. Running netdiag /v may give more info and
dcdiag should also be run on domain controllers. First thing to check is dns
configuration in that domain controllers should point to the first domain controller
in the domain [pdc fsmo] and themselves as second in the list of preferred dns
servers in tcp/ip properties. Domain members need to point to only domain controllers
for their dns and never an ISP dns server on any domain computer. Dns problems can
result in the unresolved sids you are seeing if they are domain groups on a domain
computer. Also ipsec policies [client/respond/request] that involve the domain
controller can also cause networking problems in the domain. --- Steve

"corn29@ no_spam excite.com" <corn29@excite.com> wrote in message
news:216bf30e.0407300813.7a3ab8ed@posting.google.com...
> I thought it was very curious behavior as well... especially with
> regard to Domain Users "changing" to a local group. Local groups and
> accounts are not allowed on our system by the security folks either.
> At any rate, we're having some of the SID issues you mentioned below
> as well. I'm starting to wonder is this comes from cloning/ghosting a
> machine... at least that's when I see these problems raise their ugly
> head. I did follow Q262958 (even though we're not getting any 1000 or
> 1053 errors) without any success.
>
> So with all of this said, do you have any insight on how to clean up
> the "bunch of numbers that are the unresolved sid for the group"?
>
> Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
> system information of this machine". I'm NOT getting any DNS errors
> (only browser errors - 8021 & 8032). Any ideas?
>
> Thanks again!
>
> --CW
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:<wq_Nc.174849$a24.97243@attbi_s03>...
> > That's a new one on me. I have never seen a "none" group. The syntax also
suggests
> > that "none" is a local computer group. Try giving "users" from the local computer
> > permissions to see if that works. The local users group on a domain computer
contains
> > the domain users group. Usually a group does not disappear, but instead you will
see
> > a bunch of numbers that are the unresolved sid for the group.
> >
> > It would be a good idea to give that computer a full virus scan with virus
> > definitions up to date as of today since you are having unexplained behavior.
Also
> > run netdiag on it looking for any failed tests that may indicate a problem with
> > domain access such as failed test/errors for dns, dc discover, kerberos, and
domain
> > membership-secure channel. nediag is part of the support tools on the install
cdrom
> > in the support/tools folder where you will need to run the setup program
here. ---
> > Steve
> >
> >
> > "corn29@ no_spam excite.com" <corn29@excite.com> wrote in message
> > news:216bf30e.0407281358.670a3d20@posting.google.com...
> > > Hello,
> > >
> > > Having a problem here with giving the group Domain Users rights to
> > > objects. For example, I have a \bin\ folder. I right click on this
> > > folder and select the Security tab. Then I click Add..., choose
> > > Domain Users from the Entire Directory, and give the group full
> > > control from the checkboxes.
> > >
> > > Here's where the problem starts. Members of Domain Users still aren't
> > > getting the access they need to \...\bin\. If I go back and check the
> > > security settings for that folder, there's no Domain Users listing.
> > > In its place is a "None" group. Its syntax is None(<<Local computer
> > > name>>\None).
> > >
> > > How can I keep this from happening? No matter how many times I try to
> > > add Domain users to an object, it always changes to the None group.
> > >
> > > Thanks,
> > >
> > > --CW

Relevant Pages

  • Re: gdm and network-manager issues SOLVED
    ... up order is wrong How can I fix this? ... Once I start X and log on as my user I have no DNS service. ... Lenny using netinstaller then dist-upgraded to Sid. ...
    (Debian-User)
  • Re: Error Message About Domain Controller
    ... spoke to a network engineer last night and he basically told me the same ... > vanilla windows nor SBS). ... > alphanumeric sequence is created, this is the domain SID. ... I didn't have the DNS Pointing to the ...
    (microsoft.public.windows.server.sbs)
  • Re: Win NT to 2003 migration
    ... > should have checked the server's NIC card card DNS ... > subdomains, once installed and the server promoted to AD, ... > profile. ... you migrate the account SID the profiles will be migrated to the new domain. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Entries
    ... > I'm setting up a DC to work with a QIP DNS server, ... > domain across to that DNS network. ... > If I enter these entries into QIP DNS as below, ... I'm curious to find out what the SID is below. ...
    (microsoft.public.win2000.advanced_server)
  • Re: DNS Entries
    ... > I'm setting up a DC to work with a QIP DNS server, ... > domain across to that DNS network. ... > If I enter these entries into QIP DNS as below, ... I'm curious to find out what the SID is below. ...
    (microsoft.public.win2000.dns)