Ask the Expert

Global Group users are grayed out and can't access intranet

I have recently completed the migration of users from a mixture of NT and Novell Directory Services (NDS) to Active Directory (AD). It has been reported that some users are being prompted for authentication when attempting to access intranet resources. On investigating the migrated Global Groups, which govern access to the intranet resources, it has been found that all the users are displayed as grayed-out users -- these user accounts are active/enabled and being used to log into the Win2k domain. Any ideas?

    Requires Free Membership to View

This may be a ramification of the migration. When moving to AD, depending on what tool you used, the resulting groups and users have SIDHistory Attributes added. This means that the old NT SID is actually attached to the group or users as another group or user membership. When you examine the group or user in an Access Control List (ACL), like on a file, you will see the name of the Windows 2000 group -- but it really may be the NT 4.0 SID that is in the group. Post-migration, you need to ensure that all group memberships and ACLs are cleaned up and reference the appropriate user account. Then, using ADSI Edit, you can search for the SIDHistory attribute in the user/group objects and remove it. The deployment guide from the resource kit and the Microsoft Training Kit for the Migration Text (I believe it is 70-222) also has this information.

This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: