Weird Server Permissions Issue.

[game_over]

Users on my network have started complaining they are missing shared locations, can't access certain files and are getting permission errors when trying to access server resources.

I have looked at everything on the server but i can't work out why it's happening, nothing has been changed on the server or workstations for months... it's totally random

I have tried installing programs from a limited account run as an admin but get permission denied, i also get permission denied when running \\server

It's only happening on some workstations and it's doing it on both XP and Vista.

Any ideas why this might be happening? Maybe a reboot of the Server & Firewall would fix this?

[sc302 Veteran]

possibly a reboot (highly doubtful). Check your services on your server make sure that they are started properly (workstation and server services). Finally, check your share level and file level permissions make sure everything is still there that is supposed to be. I would be willing to bet that your services have stopped or someone has disabled them.

[+BudMan MVC]

You can run into crazy issues if the clients are imaged an you did not change the sids?

You sure accounts are not getting locked out? You can have issues with users that change their passwords while disconnected from the network - say laptops not on wireless when they change or at home, etc.

But as sc302 suggests double check the share and file permissions -- did the users get moved out of a group, or into a group that has deny, etc.

You can only auth to a server with a specific account at a time.. So if you have any applications or something that are creating a connection with account A, if the user tries to then access a share off that server with their logged in account B they could be denied, etc.

[1337ish]

Also I would check dhcp/dns to ensure that they are accurate as AD depends on it in every way for normal operation.

[bobbba]

Are they getting "access denied" or "path not found"?

[game_over]

Access Denied...saying they don't have permissions.

An example,

All users have a drive W: that is mapped at logon, this gives them access to a shared location to access and save files.

When they r going to open from MS Office.. they are getting the error 'W: is not accessible, the drive may be password protected...'

No network shares are showing up under my computer.

The strange thing is it's only happening to some accounts and nothing has been changed on the server.

Actually, now i think about it, i added around 30 accounts a few weeks ago

[game_over]

the full error when trying to access the mapped w: drive :

The folder 'w:' isn't accessible. The folder may be located in an unavailable location, protected with a password, or the filename contains a / or \.

and when trying to access something like \\server from run we just get permission denied errors.

[sc302 Veteran]

if all of your services are running, check your licenses under administrative tools. look in your event viewer on the server you should be getting ! or X messages when someone tries to map associated with what is going on with the server if all of the services are running. sparatic usually means licensing, completely down usually means services. also check your time, if more than 5 min off between workstation and server it could be an issue. I run NTP and sync my domain with tock.usno.navy.mil.

[bobbba]

"drive may be password protected" implies a workgroup server and not one in a domain.

the doc applies to XP password based sharing and may help: Link

[game_over]

"drive may be password protected" implies a workgroup server and not one in a domain.

the doc applies to XP password based sharing and may help: Link

I'm not sure what you mean as we are in a domain, have been for several years and this has started as random.

sc302, you mentioned time, funnily enough i also changed the time on the server a couple of days ago, as it seemed to be a few minutes off, although at the moment it is correct.

[sc302 Veteran]

is the pc clock and server clock more than 5 min off from each other? what about the pc clock to the dc clock?

easiest way to fix this is to use this method:

http://www.articlesbase.com/networks-artic...ver-108481.html

in short:

regedit

hklm\system\currentcontrolset\services\w32time\config

announceflags 5

hklm\system\currentcontrolset\services\w32time\parameters

ntpserver tock.usno.navy.mil,0x1

type NTP

cmd

net stop w32time

net start w32time

w32tm /resync /rediscover

this will set your time to the us eastcoast navy atomic clock

your workstations will then automatically pull the time from the DC with no configuration to them.

here are ntp servers for the uk

http://www.timetools.co.uk/info/ntp-server...k-stratum-2.htm

using a fqdn you will need the ,0x1 at the end so it will look like

fqdn,0x1

Edited September 22, 2009 by sc302

[game_over]

Thanks, sc302 but that didn't fix it... i've went over the server i just can't see any reason why this would be happening.

[sc302 Veteran]

so nothing in any of your event logs (server or pc), all of your services are started that are supposed to be on the server in question (comparing to other servers that are running), not a licensing issue, not a time issue. you did reboot after fixing the time right (if you did fix it)?

[game_over]

so nothing in any of your event logs (server or pc), all of your services are started that are supposed to be on the server in question (comparing to other servers that are running), not a licensing issue, not a time issue. you did reboot after fixing the time right (if you did fix it)?

There is a DCOM error saying the service could not be started because it is disabled. Attempting to start the service BITS with arguments "" in order to run the server {...}

BITS is disabled on both server and firewall.

MrxSmb - the redirector was unable to initialize security context attributes.

^^ there is ALOT of those warnings.

The rest of the services look fine.

The Licensing service was disabled for some reason, i've now enabled that

I didn't reboot after fixing time - will try that now.

Thanks again for your replies. :)

[sc302 Veteran]

Leave licensing disabled unless you are managing it.

[game_over]

I've done a quick test after restarting and it seems to be working again... so the time thing must have fixed it. i had to quickly leave so i will test on more accounts & workstations tomorrow but hopefully that was it.

thanks

[+BudMan MVC]

As sc302 mentions -- yeah time being off between the client and the server can cause you lots of fun.. but all the members of the domain should be keeping in sync out of the box.

Normally the DC that holds the pdc emulator role will be the master time server, in a forest all the sub domains will sync with pdc emulator role dc in the forest root. You can check all this stuff out with w32tm

example from a client you can do

w32tm /monitor

this will point out all the DC in your domain, which one is the PDC and the other DCs syncing off of it -- ie Ref ID:

here I snipped out the domain info on the output from this location

d:\>w32tm /monitor

S4DE8SSAAHE.snipped *** PDC *** [10.206.163.19]:

ICMP: 122ms delay.

NTP: +0.0000000s offset from S4DE8SSAAHE.snipped

RefID: S4DE8PSAAQR.blf.snipped [10.151.164.4]

s4mxpusyaav.snipped [10.58.222.11]:

ICMP: 74ms delay.

NTP: +0.0065214s offset from S4DE8SSAAHE.snipped

RefID: S4DE9JSAAQD.mgb.snipped [10.125.189.13]

s4usjvsyaav.snipped [10.56.144.11]:

ICMP: 51ms delay.

NTP: -0.0032134s offset from S4DE8SSAAHE.snipped

RefID: S4DE9JSAAQD.mgb.snipped [10.125.189.13]

s4usjvsyaaw.snipped [10.56.144.12]:

ICMP: 58ms delay.

NTP: +0.0005945s offset from S4DE8SSAAHE.snipped

RefID: S4DE8SSAACJ.gppng.snipped [10.206.162.6]

s4ushosyaav.snipped [10.56.18.11]:

ICMP: 94ms delay.

NTP: -0.0031219s offset from S4DE8SSAAHE.snipped

RefID: S4DE8SSAACJ.gppng.snipped [10.206.162.6]

w32tm is a very useful tool when troubleshooting time sync issues on your domain. Lots of great info you can get from it -- not as useful as ntpq but you work with what you got ;) But yeah time sync issues can cause you lots of grief!!

You should make sure your domain is setup to sync time with a reliable outside source and you should never have to worry about time issues.. You should never have to manually adjust time on a server or even client in a domain.. It can cause you great grief ;)

[Joel]

You should never have to manually adjust time on a server or even client in a domain.. It can cause you great grief ;)

I had a client who went around setting their time manually after noticing the servers and the workstations were off by an hour. Of course, had they checked the timezone settings on the servers, they could have saved themselves the trouble they found themselves in when I fixed the server times on 4 servers and watched their stations instantly become invalid clients. :laugh:

BTW, I get 2 PDCs when I run that command.

[+BudMan MVC]

Hmmm - I don't belive its possible to have 2 DCs running the PDC emulator FSMO role in the same domain? Not sure on your setup, but sure each domain would have its own PDC emulator role. Would have to know more about your domain setup to understand what your seeing?

Not exactly sure of how/where the command determines if the box is a PDC either? Hmmmm -- have to look into that ;)

But from this

http://support.microsoft.com/kb/324801

How to view and transfer FSMO roles in Windows Server 2003

"At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest."

You might want to look into that ;)

edit: If you don't mind could you post your w32tm /monitor output -- you can change info so its not actually telling anything about your domain. And then the output of this command will tell us who has your pdc role

dsquery server -domain <<your domain name>> -hasfsmo pdc

example

d:\>dsquery server -domain domainname -hasfsmo pdc

"CN=S4DE8SSAAHE,CN=Servers,CN=snipped,CN=Sites,CN=Configuration,DC=snipped,DC=snipped"

Edited September 22, 2009 by BudMan

[Joel]

Microsoft Windows [Version 6.1.7100]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Joel>w32tm /monitor
exchange.fq.dn *** PDC ***[192.168.0.3:123]:
	ICMP: 0ms delay
	NTP: +0.0000000s offset from exchange.fq.dn
		RefID: w2k3srv.fq.dn [192.168.0.4]
		Stratum: 3
w2k3srv.fq.dn *** PDC ***[192.168.0.4:123]:
	ICMP: 0ms delay
	NTP: +0.0148074s offset from exchange.fq.dn
		RefID: time-b.nist.gov [129.6.15.29]
		Stratum: 2

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.

C:\Users\Joel>

"CN=W2K3SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fq,DC=dn"

Setup is:

w2k3srv is the PDCE and all the rest of that fun stuff, exchange is also a catalog server (required). Both are DCs.

[game_over]

You should never have to manually adjust time on a server or even client in a domain.. It can cause you great grief ;)

That's interesting, i didn't know that, i manually changed the time last week so i'm guessing thats the root cause of the problem. Looking forward to testing tomorrow.

Thanks for the help guys.

[+BudMan MVC]

hmmm Joel, you got my curiosity peeked.. But off the top not sure why you would be seeing that.. I don't recall ever seeing anything like that before.. I just checked a few other domains I have access too.. And they were showing only 1 PDC with w32tm, had one domain not showing any.. forgot to do the dsquery to see who was listed as the pdc before I disconnected the vpn connection.. But that company is a big forest, etc.. will have to get with their admin -- other domains in their forest were all listing the pdc with the w32tm command for that domain in the forest.. But one of the sub domains did not.. hmmm

Have to look into it some more, might have to do some digging on where/how w32tm determines if its a PDC or not, etc.

[game_over]

tested it on a few 'student' accounts earlier and it seemed to be working.

a few hours later someone on a 'staff' account logged in and no network drives had mapped, when i tried to \\server i got a permission denied.... then on another account all network drives said disconnected from My Computer.

[edit] just had a full class of students and most of them can't access the files or network shares

[edit 2]

after looking up the error

MRxSmb - The redirector was unable to initialize security context or query context attributes.

I was brought to this: http://support.microsoft.com/kb/263142

If your computer cannot connect to a resource on the network, you may see one or more warnings in the System event log with event ID 3034 and a source of MRxSmb (MRxSmb is the Server Message Block, or SMB, mini-redirector in Windows 2000, with secure SMB capabilities).

thats exactly what my problem is and there are hundreds of MRxSmb errors

how do these registry value's look..

reg.bmp

Edited September 23, 2009 by forcer

[sc302 Veteran]

this is what your ntp settings should look like on your server but replacing tock.usno.navy.mil with a local ntp server to you. These registry settings are from a windows 2003 server.

[sc302 Veteran]

http://www.eventid.net/display.asp?eventid...Smb&phase=1

if you imaged your pc's, did you sysprep them, or regenerate the SID, or did you just image and change the name?

Edited September 23, 2009 by sc302