Authenticated users not gaining Directory Service Access

[PacSec]

Every morning for the last couple of weeks I have had users unable to access network drives after they log in. There is no error on their machine as they log in.

In reviewing the security log on the DC (Win2k3), I see that these users do not have the normal log entry for "Directory Service Access", event ID 565. I am logging both successes and failures but I get no failures for the DS access. Finally, after numerous attempts at logging on, the user will gain access to the drives and there will be entries in the log for DS access.

I am unable to figure out why the user is not being granted, or due to lack of failure audits even requesting, DS access. Can anyone shed light on this?

 

[Shroud]

What, if any, are the error messeges the users receive when they attempt to access the shared drives?

 

[HoLoCroN]

Have you checked the logs on the workstation itself, it might have some helpful details that can send you in the right direction.

 

[PacSec]

I've checked the WS logs. They provided nothing that was able to help me.

I'm waiting for a user who had the problem before to experience it again. It seems I've may have gone through a couple of different issues that I originally thought were the same.

Originally I was experiencing a permissions issue that was not allowing a network application to work like it is supposed to. I addressed that situation but was never sure that I had really fixed it. The same app and a similiar, although different, error is what alerted me to the problem I am having now. But I believe the problem now is just not getting drives mapped like they are supposed to. The logs indicate the problem is the same (not going through the process of obtaining Directory Services access) which is why I did not at first notice the difference in error messages.

Fact is, I'm befuddled. It seems as though the login script (as defined by ScriptLogic) may not be running through to its entirety. But then again, maybe the script is running but Windows is botching the execution of it. The biggest problem is its random nature and lack of errors.

I'm looking for any ideas here. Even if you think it is crazy, I'll appreciate anything you can come up with.

 

[milen]

So I tought.
I think you have problems with the security policy.
In the back of Event ID 565 there are 2 Descriptions:

1.
------
Event ID 565
Event Log - Security
Event Type = Information
Event Source = Security
Info:"
Object Open:%n\r\n%tObject Server:%t%1%n\r\n%tObject Type:%t%2%n\r\n%tObject Name:%t%3%n\r\n%tNew Handle ID:%t%4%n\r\n%tOperation ID:%t{%5,%6}%n\r\n%tProcess ID:%t%7%n\r\n%tPrimary User Name:%t%8%n\r\n%tPrimary Domain:%t%9%n\r\n%tPrimary Logon ID:%t%10%n\
"
------

2.
Event ID 565
Event Log = System
Event Type = Warning
Event Source = Quartz
Info:
Cannot render the file because it is corrupt.%0\r\n
----------


Looks like your problem is coming from the 1 Option.

You may have to review all Security Policy You put for Organizational Unit.
Domain Security policy
Domain Control Sec Policy.
Also the Local Sec Policy - This is the weakest

You said some users:
How are All users in one O/Unit
or in different?


I suggest put the Users In the 1 O/Unit
then make other O/Units in side by departments.

On the Main O/Unit Set Up new Group Policy
Creat New and rename it.
Do not leave it by default name: "New Group Policy Object"
Locate on same window and tick this ->"Block Policy Inheritance"
This will prevent of overriding from Above Group Policy
Then hit "edit"
and set up what so ever you like for Computer Or User

Some thime there is mix between the "Default Domain Policy" and
policy which are add later down to the tree without " Block Policy Inheritance"


Can you post the exact Error Mesage here?

 

[PacSec]

milen, I think your steps may have directed me to the problem.http://support.microsoft.com/default.aspx?scid=kb;en-us;828760

I think this article may indicate the cause of my problem. I did indeed get this error message when I tried to adjust the group policies.

Each Group Policy object (GPO) is stored partly in the Sysvol folder on the domain controller and partly in the Active Directory directory service. GPMC, Group Policy Object Editor, and the old Group Policy user interface that is provided in the Active Directory snap-ins present and manage a GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC sets permissions on objects both in Active Directory and in the Sysvol folder. For each GPO, the permissions in Active Directory must be consistent with the permissions in the Sysvol folder. You must not change these separate objects outside GPMC and Group Policy Object Editor. If you do so, this may cause Group Policy processing on the client to fail, or certain users who generally have access may no longer be able to edit a GPO.

I think this may explain my problem. We will see.