Problems with giving the Domain Users group access to folders

[corn29]

Hello,

Having a problem here with giving the group Domain Users rights to
objects. For example, I have a \bin\ folder. I right click on this
folder and select the Security tab. Then I click Add..., choose
Domain Users from the Entire Directory, and give the group full
control from the checkboxes.

Here's where the problem starts. Members of Domain Users still aren't
getting the access they need to \...\bin\. If I go back and check the
security settings for that folder, there's no Domain Users listing.
In its place is a "None" group. Its syntax is None(<<Local computer
name>>\None).

How can I keep this from happening? No matter how many times I try to
add Domain users to an object, it always changes to the None group.

Thanks,

--CW

 

[Steven L Umbach]

That's a new one on me. I have never seen a "none" group. The syntax also suggests
that "none" is a local computer group. Try giving "users" from the local computer
permissions to see if that works. The local users group on a domain computer contains
the domain users group. Usually a group does not disappear, but instead you will see
a bunch of numbers that are the unresolved sid for the group.

It would be a good idea to give that computer a full virus scan with virus
definitions up to date as of today since you are having unexplained behavior. Also
run netdiag on it looking for any failed tests that may indicate a problem with
domain access such as failed test/errors for dns, dc discover, kerberos, and domain
membership-secure channel. nediag is part of the support tools on the install cdrom
in the support/tools folder where you will need to run the setup program there. ---
Steve

 

[corn29]

I thought it was very curious behavior as well... especially with
regard to Domain Users "changing" to a local group. Local groups and
accounts are not allowed on our system by the security folks either.
At any rate, we're having some of the SID issues you mentioned below
as well. I'm starting to wonder is this comes from cloning/ghosting a
machine... at least that's when I see these problems raise their ugly
head. I did follow Q262958 (even though we're not getting any 1000 or
1053 errors) without any success.

So with all of this said, do you have any insight on how to clean up
the "bunch of numbers that are the unresolved sid for the group"?

Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
system information of this machine". I'm NOT getting any DNS errors
(only browser errors - 8021 & 8032). Any ideas?

Thanks again!

--CW

 

[Steven L Umbach]

You certainly don't want to have computers with the same sid. SysInternals explains
this and how to remedy it as shown in the link below.

http://www.sysinternals.com/ntw2k/source/newsid.shtml
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- displays sids for a
computer or local user

The Event ID's. for 8021 and 8032 are usually caused by a master browser being
multihomed. The fsmo pdc for the domain is usually the master domain browser and it
is multihomed or used as a rras server [virtual adapter even if it has one nic] you
can get those errors and experience problems with the browse list.

http://support.microsoft.com/defaul...port/kb/articles/q135/4/04.asp&NoWebContent=1

Any fatal error is not good with netdiag. Running netdiag /v may give more info and
dcdiag should also be run on domain controllers. First thing to check is dns
configuration in that domain controllers should point to the first domain controller
in the domain [pdc fsmo] and themselves as second in the list of preferred dns
servers in tcp/ip properties. Domain members need to point to only domain controllers
for their dns and never an ISP dns server on any domain computer. Dns problems can
result in the unresolved sids you are seeing if they are domain groups on a domain
computer. Also ipsec policies [client/respond/request] that involve the domain
controller can also cause networking problems in the domain. --- Steve

I thought it was very curious behavior as well... especially with
regard to Domain Users "changing" to a local group. Local groups and
accounts are not allowed on our system by the security folks either.
At any rate, we're having some of the SID issues you mentioned below
as well. I'm starting to wonder is this comes from cloning/ghosting a
machine... at least that's when I see these problems raise their ugly
head. I did follow Q262958 (even though we're not getting any 1000 or
1053 errors) without any success.

So with all of this said, do you have any insight on how to clean up
the "bunch of numbers that are the unresolved sid for the group"?

Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
system information of this machine". I'm NOT getting any DNS errors
(only browser errors - 8021 & 8032). Any ideas?

Thanks again!

--CW


"Steven L Umbach" <[email protected]> wrote in message

That's a new one on me. I have never seen a "none" group. The syntax also suggests
that "none" is a local computer group. Try giving "users" from the local computer
permissions to see if that works. The local users group on a domain computer contains
the domain users group. Usually a group does not disappear, but instead you will see
a bunch of numbers that are the unresolved sid for the group.

It would be a good idea to give that computer a full virus scan with virus
definitions up to date as of today since you are having unexplained behavior. Also
run netdiag on it looking for any failed tests that may indicate a problem with
domain access such as failed test/errors for dns, dc discover, kerberos, and domain
membership-secure channel. nediag is part of the support tools on the install cdrom
in the support/tools folder where you will need to run the setup program here. ---
Steve

 

[corn29]

Steve,

Thanks for the help so far!!! I have another question based upon your
last post. I have 2 DCs -- dc1 and dc2. dc1 and dc2 are both DNS
servers and both are domain controllers (with dc1 being the fsmo pdc).

First thing to check is dns configuration in that domain controllers should
point to the first domain controller in the domain [pdc fsmo]
and themselves as second in the list of preferred dns.

So in the case of dc1, are both the primary and seconday DNS addresses
10.10.0.10 then?

Thanks,

--CW

You certainly don't want to have computers with the same sid. SysInternals explains
this and how to remedy it as shown in the link below.

http://www.sysinternals.com/ntw2k/source/newsid.shtml
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- displays sids for a
computer or local user

The Event ID's. for 8021 and 8032 are usually caused by a master browser being
multihomed. The fsmo pdc for the domain is usually the master domain browser and it
is multihomed or used as a rras server [virtual adapter even if it has one nic] you
can get those errors and experience problems with the browse list.

http://support.microsoft.com/defaul...port/kb/articles/q135/4/04.asp&NoWebContent=1

Any fatal error is not good with netdiag. Running netdiag /v may give more info and
dcdiag should also be run on domain controllers. First thing to check is dns
configuration in that domain controllers should point to the first domain controller
in the domain [pdc fsmo] and themselves as second in the list of preferred dns
servers in tcp/ip properties. Domain members need to point to only domain controllers
for their dns and never an ISP dns server on any domain computer. Dns problems can
result in the unresolved sids you are seeing if they are domain groups on a domain
computer. Also ipsec policies [client/respond/request] that involve the domain
controller can also cause networking problems in the domain. --- Steve

I thought it was very curious behavior as well... especially with
regard to Domain Users "changing" to a local group. Local groups and
accounts are not allowed on our system by the security folks either.
At any rate, we're having some of the SID issues you mentioned below
as well. I'm starting to wonder is this comes from cloning/ghosting a
machine... at least that's when I see these problems raise their ugly
head. I did follow Q262958 (even though we're not getting any 1000 or
1053 errors) without any success.

So with all of this said, do you have any insight on how to clean up
the "bunch of numbers that are the unresolved sid for the group"?

Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
system information of this machine". I'm NOT getting any DNS errors
(only browser errors - 8021 & 8032). Any ideas?

Thanks again!

--CW


"Steven L Umbach" <[email protected]> wrote in message

That's a new one on me. I have never seen a "none" group. The syntax also suggests
that "none" is a local computer group. Try giving "users" from the local computer
permissions to see if that works. The local users group on a domain computer contains
the domain users group. Usually a group does not disappear, but instead you will see
a bunch of numbers that are the unresolved sid for the group.

It would be a good idea to give that computer a full virus scan with virus
definitions up to date as of today since you are having unexplained behavior. Also
run netdiag on it looking for any failed tests that may indicate a problem with
domain access such as failed test/errors for dns, dc discover, kerberos, and domain
membership-secure channel. nediag is part of the support tools on the install cdrom
in the support/tools folder where you will need to run the setup program here. ---
Steve


Hello,

Having a problem here with giving the group Domain Users rights to
objects. For example, I have a \bin\ folder. I right click on this
folder and select the Security tab. Then I click Add..., choose
Domain Users from the Entire Directory, and give the group full
control from the checkboxes.

Here's where the problem starts. Members of Domain Users still aren't
getting the access they need to \...\bin\. If I go back and check the
security settings for that folder, there's no Domain Users listing.
In its place is a "None" group. Its syntax is None(<<Local computer
name>>\None).

How can I keep this from happening? No matter how many times I try to
add Domain users to an object, it always changes to the None group.

Thanks,

--CW

 

[Steven L Umbach]

Hi CW.

See the link below for explaination. The first dc can point just to itself as the
primary only. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Steve,

Thanks for the help so far!!! I have another question based upon your
last post. I have 2 DCs -- dc1 and dc2. dc1 and dc2 are both DNS
servers and both are domain controllers (with dc1 being the fsmo pdc).

First thing to check is dns configuration in that domain controllers should
point to the first domain controller in the domain [pdc fsmo]
and themselves as second in the list of preferred dns.

So in the case of dc1, are both the primary and seconday DNS addresses
10.10.0.10 then?

Thanks,

--CW

"Steven L Umbach" <[email protected]> wrote in message

You certainly don't want to have computers with the same sid. SysInternals explains
this and how to remedy it as shown in the link below.

http://www.sysinternals.com/ntw2k/source/newsid.shtml
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- displays sids for a
computer or local user

The Event ID's. for 8021 and 8032 are usually caused by a master browser being
multihomed. The fsmo pdc for the domain is usually the master domain browser and it
is multihomed or used as a rras server [virtual adapter even if it has one nic] you
can get those errors and experience problems with the browse list.

http://support.microsoft.com/defaul...port/kb/articles/q135/4/04.asp&NoWebContent=1

Any fatal error is not good with netdiag. Running netdiag /v may give more info and
dcdiag should also be run on domain controllers. First thing to check is dns
configuration in that domain controllers should point to the first domain controller
in the domain [pdc fsmo] and themselves as second in the list of preferred dns
servers in tcp/ip properties. Domain members need to point to only domain controllers
for their dns and never an ISP dns server on any domain computer. Dns problems can
result in the unresolved sids you are seeing if they are domain groups on a domain
computer. Also ipsec policies [client/respond/request] that involve the domain
controller can also cause networking problems in the domain. --- Steve

I thought it was very curious behavior as well... especially with
regard to Domain Users "changing" to a local group. Local groups and
accounts are not allowed on our system by the security folks either.
At any rate, we're having some of the SID issues you mentioned below
as well. I'm starting to wonder is this comes from cloning/ghosting a
machine... at least that's when I see these problems raise their ugly
head. I did follow Q262958 (even though we're not getting any 1000 or
1053 errors) without any success.

So with all of this said, do you have any insight on how to clean up
the "bunch of numbers that are the unresolved sid for the group"?

Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
system information of this machine". I'm NOT getting any DNS errors
(only browser errors - 8021 & 8032). Any ideas?

Thanks again!

--CW


"Steven L Umbach" <[email protected]> wrote in message

That's a new one on me. I have never seen a "none" group. The syntax also suggests
that "none" is a local computer group. Try giving "users" from the local computer
permissions to see if that works. The local users group on a domain computer contains
the domain users group. Usually a group does not disappear, but instead you

will
see

a bunch of numbers that are the unresolved sid for the group.

It would be a good idea to give that computer a full virus scan with virus
definitions up to date as of today since you are having unexplained behavior. Also
run netdiag on it looking for any failed tests that may indicate a problem with
domain access such as failed test/errors for dns, dc discover, kerberos, and domain
membership-secure channel. nediag is part of the support tools on the install cdrom
in the support/tools folder where you will need to run the setup program here. ---
Steve


Hello,

Having a problem here with giving the group Domain Users rights to
objects. For example, I have a \bin\ folder. I right click on this
folder and select the Security tab. Then I click Add..., choose
Domain Users from the Entire Directory, and give the group full
control from the checkboxes.

Here's where the problem starts. Members of Domain Users still aren't
getting the access they need to \...\bin\. If I go back and check the
security settings for that folder, there's no Domain Users listing.
In its place is a "None" group. Its syntax is None(<<Local computer
name>>\None).

How can I keep this from happening? No matter how many times I try to
add Domain users to an object, it always changes to the None group.

Thanks,

--CW

 

[corn29]

Steve,

Thanks for all your help... I did find out over the course of fixing
this problem that for netdiag to work, the Remote Registry Service has
to be enabled. I had it disabled based upon guidance from our
security folks.

Thanks,

--CW

Hi CW.

See the link below for explaination. The first dc can point just to itself as the
primary only. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Steve,

Thanks for the help so far!!! I have another question based upon your
last post. I have 2 DCs -- dc1 and dc2. dc1 and dc2 are both DNS
servers and both are domain controllers (with dc1 being the fsmo pdc).

First thing to check is dns configuration in that domain controllers should
point to the first domain controller in the domain [pdc fsmo]
and themselves as second in the list of preferred dns.

So in the case of dc1, are both the primary and seconday DNS addresses
10.10.0.10 then?

Thanks,

--CW

"Steven L Umbach" <[email protected]> wrote in message

You certainly don't want to have computers with the same sid. SysInternals explains
this and how to remedy it as shown in the link below.

http://www.sysinternals.com/ntw2k/source/newsid.shtml
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- displays sids for a
computer or local user

The Event ID's. for 8021 and 8032 are usually caused by a master browser being
multihomed. The fsmo pdc for the domain is usually the master domain browser and it
is multihomed or used as a rras server [virtual adapter even if it has one nic] you
can get those errors and experience problems with the browse list.

http://support.microsoft.com/defaul...port/kb/articles/q135/4/04.asp&NoWebContent=1

Any fatal error is not good with netdiag. Running netdiag /v may give more info and
dcdiag should also be run on domain controllers. First thing to check is dns
configuration in that domain controllers should point to the first domain controller
in the domain [pdc fsmo] and themselves as second in the list of preferred dns
servers in tcp/ip properties. Domain members need to point to only domain controllers
for their dns and never an ISP dns server on any domain computer. Dns problems can
result in the unresolved sids you are seeing if they are domain groups on a domain
computer. Also ipsec policies [client/respond/request] that involve the domain
controller can also cause networking problems in the domain. --- Steve

I thought it was very curious behavior as well... especially with
regard to Domain Users "changing" to a local group. Local groups and
accounts are not allowed on our system by the security folks either.
At any rate, we're having some of the SID issues you mentioned below
as well. I'm starting to wonder is this comes from cloning/ghosting a
machine... at least that's when I see these problems raise their ugly
head. I did follow Q262958 (even though we're not getting any 1000 or
1053 errors) without any success.

So with all of this said, do you have any insight on how to clean up
the "bunch of numbers that are the unresolved sid for the group"?

Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
system information of this machine". I'm NOT getting any DNS errors
(only browser errors - 8021 & 8032). Any ideas?

Thanks again!

--CW


"Steven L Umbach" <[email protected]> wrote in message

That's a new one on me. I have never seen a "none" group. The syntax also suggests
that "none" is a local computer group. Try giving "users" from the local computer
permissions to see if that works. The local users group on a domain computer contains
the domain users group. Usually a group does not disappear, but instead you

will
see

a bunch of numbers that are the unresolved sid for the group.

It would be a good idea to give that computer a full virus scan with virus
definitions up to date as of today since you are having unexplained behavior. Also
run netdiag on it looking for any failed tests that may indicate a problem with
domain access such as failed test/errors for dns, dc discover, kerberos, and domain
membership-secure channel. nediag is part of the support tools on the install cdrom
in the support/tools folder where you will need to run the setup program here. ---
Steve


Hello,

Having a problem here with giving the group Domain Users rights to
objects. For example, I have a \bin\ folder. I right click on this
folder and select the Security tab. Then I click Add..., choose
Domain Users from the Entire Directory, and give the group full
control from the checkboxes.

Here's where the problem starts. Members of Domain Users still aren't
getting the access they need to \...\bin\. If I go back and check the
security settings for that folder, there's no Domain Users listing.
In its place is a "None" group. Its syntax is None(<<Local computer
name>>\None).

How can I keep this from happening? No matter how many times I try to
add Domain users to an object, it always changes to the None group.

Thanks,

--CW