Strange Active Directory Behavior (Authentication and Permissions)

[Guest]

Hello, we have a strange problem and are desperate for help. We have a
Windows 2000 AD environment in which there is one root level domain and two
child domains. One child domain is working perfectly fine, the other one is
causing major headaches.

I'll call the root domain root.domain and then sitea.root.domain and
siteb.root.domain.

What we're trying to do is have users log in to root.domain with their
root.domain account and then do something simple like create a file or folder
on a member server in the siteb.root.domain space. Everything has been set
up; we can go to the member server and set permissions on the folder so that
the root.domain user will have full permission to the resource. So, accounts
are pulling over fine. In fact, for some users have absolutely no problems.
The issue seems to follow user accounts. But, the user accounts having
access problems are set up EXACTLY the same as the one's that are not. Not
just in Active Directory, but also at the file and folder permissions levels
on the member server.

What happens is, the user will simply get an access denied error message
when trying to access the folder. I have also seen some users that are able
to open the folder up, but then they can't create folders or files inside the
folder. Again these users have the same permissions on the folder as myself
which btw I have not yet had a problem. We have even gone so far as to grant
the users with problems domain admin privilges in siteb.root.domain.

The only reason I mention sitea.root.domain is because we actually have
another child domain working, as far as I know, perfectly. Any advice would
be greatly appreciated.

 

[ptwilliams]

Well that does seem strange ;-)

If subdomain a is fine and sudomain b is not, look to name resolution. As
access is dependent on group memberships across a trust which heavily relies
on a GC and of course, therefore, DNS.

Ensure name resolution (SRV records not A records) are OK, and then check to
make sure that replication is fine. It Could be an issue with GC.

Then think about how you are trying to grant access based on the scope and
type of your groups.

Perhaps you could come back to us with some more information??

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
Hello, we have a strange problem and are desperate for help. We have a
Windows 2000 AD environment in which there is one root level domain and two
child domains. One child domain is working perfectly fine, the other one is
causing major headaches.

I'll call the root domain root.domain and then sitea.root.domain and
siteb.root.domain.

What we're trying to do is have users log in to root.domain with their
root.domain account and then do something simple like create a file or
folder
on a member server in the siteb.root.domain space. Everything has been set
up; we can go to the member server and set permissions on the folder so that
the root.domain user will have full permission to the resource. So,
accounts
are pulling over fine. In fact, for some users have absolutely no problems.
The issue seems to follow user accounts. But, the user accounts having
access problems are set up EXACTLY the same as the one's that are not. Not
just in Active Directory, but also at the file and folder permissions levels
on the member server.

What happens is, the user will simply get an access denied error message
when trying to access the folder. I have also seen some users that are able
to open the folder up, but then they can't create folders or files inside
the
folder. Again these users have the same permissions on the folder as myself
which btw I have not yet had a problem. We have even gone so far as to
grant
the users with problems domain admin privilges in siteb.root.domain.

The only reason I mention sitea.root.domain is because we actually have
another child domain working, as far as I know, perfectly. Any advice would
be greatly appreciated.