| Author |
Message |
Aamir
Guest
|
 Posted:
Wed Dec 29, 2004 4:31 pm Post subject:
Access Denied After AD Migration |
|
|
When creating file/folderr after AD migration, getting Acess Denied error ,
however reading/browsing of folders are OK.
Background:
========
I just finshed migration from NT 4.0 to Win2k3 server.
* Trust relationship establised (still active)
* Both domain are different.
*AD didn't copy SIDs only copu users/passpord/groups.
* used SubinAcl to adjust permission in new domain.
* all user folder(under new domain) have both domain permissions
user1@olddomain.com
user2@newdomain.com
* I rejoined all work stations successfully to win2k3 domain.
* Gettin Error "Acess Denied" when tried to create folder under shared user
folder from workstation after successful authentication.
I checked all permission are OK. User has full access to his/her folder, but
can't create file/folder under her user folder.
I used attrib -r -s c:\users /s /d
but still same problem.
PLease help me |
|
| Back to top |
|
 |
Tom
Guest
|
| Posted:
Fri Dec 31, 2004 5:21 am Post subject:
Re: Access Denied After AD Migration |
|
|
try using xcacls.exe.
I think it has to do with your security permissions, not file
permissions.
nt4.0 and win 2000 platforms were left so that the administrator had to
lock down the security in the environment from scratch which turned out
to be a pita because there were lots of monkies posing as network
admins in the 90's... (and scary enough, there still are)
windows 2003 is a bit different because it locks down the environment
so that the <domain>/users and the everyone group doesnt have full
permissions to your root directories first. Now I just did a NT4 ->
2003 migration 2-3 months ago and it...well, asides the DNS hell i went
through it went as well as it probably could have.
When i did the migration the security descriptors remained ala "NT4"
like... (no one was stripped of rights from existing boxes)
one thing i can tell you is that i also didnt have complex passwords
imposed on me by default, which i read should happen...so my
environment may have been foobared from the beginning. the network
administrators before me were as smart as a chimp. |
|
| Back to top |
|
|
Aamir
Guest
|
| Posted:
Fri Dec 31, 2004 9:31 am Post subject:
RE: Access Denied After AD Migration |
|
|
folders are now on new windows2k3 server. I replaced permission but no effect.
I did in-place upgrade and things work great. I installed another windows2k3
DC and transferred user folder to new DC and found same problem. New DC have
all permissons all accounts folder with same permission as in windows NT. But
Access Denied.
Note: DC which used for in-place upgrade has no Access Denied problem.
When I use FSMT I always get this Access Denied problem.
"Rebecca Chen [MSFT]" wrote:
| Quote: | Hi Aamir,
Where is the workstation share located in the new domain or old domain? For
example, the user logon to new win2k3 domain and want to create folder
which is located in the old NT domain?
Technically speaking, "access denied" still refer to the permission
problem. Have you grant the full control NTFS permission on Security tab?
Please also check if you checked "Replace permission entries on all child
objects".
If the issue persists, please let me know the following information:
1. The detailed steps to reproduce this issue on your side.
2. copy the files I uploaded here by using Outlook express and issue the
following command:
check_sd.exe -d \\servername\shares > c:\text.txt
Send me the text.txt file for research.
3. Let me know the SID of the problematic user account. NOTE: To obtain the
user account SID, please refer to the following article:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/getsid-o
.asp
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights |
|
|
| Back to top |
|
|
Rebecca Chen [MSFT]
Guest
|
| Posted:
Tue Jan 04, 2005 5:21 pm Post subject:
RE: Access Denied After AD Migration |
|
|
Hello,
Do you grant the permission to the individual user account or the group?
Please use check_sd to gather the info as I have mentioned and send to
v-rebc@microsoft.com for research.
As Tom mentioned, you can also try xcacls. Please take a look at the
following link:
How To Migrate Objects from One Domain to Another in Windows NT
http://support.microsoft.com/default.aspx?scid=kb;en-us;301940
Using the Command Line to Edit Multiple Subdirectory Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;265360
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in