Error 1307 this security id may not be assigned as the owner of this object

Remove From My Forums

Вопрос
Имеется файловый сервер(он же контроллер домена) —
Server 2003 R2 Std SP2

Хочу перенести каталог на другой диск, с сохранением ACL и владельцев.
Работаю под админом домена.
На каталоге админам и системе полный доступ.

ACL переностится нормально, а вот владелец не хочет переноситься, т.к. не хватает прав доступа.

Robocopy выводит такую ошибку
ERROR 1307 (0x0000051B) Copying NTFS Security to Destination Directory D:Archive

This security ID may not be assigned as the owner of this object.

проводник:
You do not have the Restore privilege required to set this user/group as owner

В локальных политиках сервера для права «Restore files and directories» стоят дефолтные: administrators, backup operators, server operators

Не пойму, где дальше копать…
Подскажите пожалуйста…

Спасибо.

Ответы

проблему решил

оказывается на сервере, где назначение владельца работает применяется локальная политика сервера, в которой права прописаны, а на остальных применялись только доменные политики, где права не были прописаны. Прописал права в доменных политиках и сразу все
заработало.

спасибо за участие.
- Помечено в качестве ответа
  
  13 июля 2012 г. 7:38

Recently started getting 1307 error
Add-NTFSAccess : (1307) This security ID may not be assigned as the owner of this object:
When trying to add BUILTINAdministrators group permissions on a NetApp Folder.

The folder is owned by BUILTINAdministrators and my AD user account is a member of the group.

I was able to use ICACLS to grant BUILTINAdministrators permissions to the folder.

Do you work on a nun en-us workstation? Meaning, does the BUILTINAdministrators group has a different name on the machine the code runs on?

I work on en-us only software versions supporting the US Army. We have a mixture of Windows 10 1607 and 1709 versions in our organization. The NetApp operating system is Clustered Data ONTAP 9.3P6.

What NTFSSecurty does internally is to convert the username into an object of type[Security2.IdentityReference2] that stores the username plus the SID. Does the following command work when hitting the error?

PS C:> [Security2.IdentityReference2]'BUILTINAdministrators'

Sid          AccountName            LastError
---          -----------            ---------
S-1-5-32-544 BUILTINAdministrators

Security2.IdentityReference2 is a non-standard class coming with NTFSSecurity. Internally it uses the .net standard class System.Security.Principal.NTAccount and System.Security.Principal.SecurityIdentifier.

PS C:> $p = [System.Security.Principal.NTAccount]'BUILTINAdministrators'
PS C:> $p.Translate([System.Security.Principal.SecurityIdentifier])

BinaryLength AccountDomainSid Value
------------ ---------------- -----
          16                  S-1-5-32-544

Do you observe the error only when working on a NetApp volume or can you repro the issue also on a local drive?

The commands you sent both work without any errors and produce the same SID
values. I cannot reproduce the error on a local drive. The error only
happens when the path is «\netappfilersharenamefolder»

icacls works using the same path «\netappfilersharenamefolder» without
any errors.

…

On Thu, Aug 16, 2018 at 4:10 AM Raimund Andrée [MSFT] < ***@***.***> wrote:
What NTFSSecurty does internally is to convert the username into an object
of type[Security2.IdentityReference2] that stores the username plus the
SID. Does the following command work when hitting the error?

PS C:> [Security2.IdentityReference2]’BUILTINAdministrators’

Sid AccountName LastError
— ———— ———
S-1-5-32-544 BUILTINAdministrators

Security2.IdentityReference2 is a non-standard class coming with
NTFSSecurity. Internally it uses the .net standard class
System.Security.Principal.NTAccount and
System.Security.Principal.SecurityIdentifier.

PS C:> $p = [System.Security.Principal.NTAccount]’BUILTINAdministrators’
PS C:> $p.Translate([System.Security.Principal.SecurityIdentifier])

BinaryLength AccountDomainSid Value
———— —————- ——
16 S-1-5-32-544

Do you observe the error only when working on a NetApp volume or can you
repro the issue also on a local drive?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AoEjPezR2X8W4aXkAWrUcu_YWBb10R3sks5uRVMKgaJpZM4VuSr5>
.

I am unable to repro this, I do not have access to a NetApp filer. I can add additional debug logging to the cmdlets to help tackle this. Would you mind investing a little bit more time?

Yes I am willing to help if you send my a build that includes logging.

…

Hello! I’m also getting a 1307 error when I try to add NTFS permissions. I use UNC paths (anything that starts with \ ). I run windows 10 1709, en-us only.

I’m willing to help investigate, too, as this has been such a useful tool.

I’m having this same issue with all builds from version 4.0 up. I had to go back to a manual install of 3.2.3 to resolve the issue. We have a very standard enterprise all-Microsoft environment for our file shares. Servers are 2012 R2 running DFS namespaces and DFS replication. The service account used for these operations has full control access to all shares, both SMB and NTFS. It is not an admin on the file server and is not an admin on the task server from which it runs, as neither of those are necessary for these operations.

As others have said, I also greatly appreciate your development efforts on this wonderful module and I would be willing to help troubleshoot if you would like me to try a build with enhanced logging or other changes. I’ll have to stick with a manual install of 3.2.3 for now and hope it doesn’t break at some point. Thanks!

@Sup3rlativ3, I have received your commend to that issue by email but do not see it here.
@FrisbeeGolfer, sorry for catching up quite late with this.

NTFSSecurity just uses the standard .net methods to do the name translation (SID<>SamAccountName). If this happens again, can you please try the following in PowerShell to verify that?

If the error occurs again, you should see something similar to this:

PS C:> Add-NTFSAccess -Path D: -Account raandree1DoesNotExist -AccessRights FullControl                                                                   Add-NTFSAccess : Cannot bind parameter 'Account'. Cannot convert value "raandree1DoesNotExist" to type "Security2.IdentityReference2". Error: "Some or all
identity references could not be translated."
At line:1 char:35
+ Add-NTFSAccess -Path D: -Account raandree1DoesNotExist -AccessRight ...
+                                   ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Add-NTFSAccess], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,NTFSSecurity.AddAccess

You should see the same error when calling the name translation method directly:

PS C:> [Security2.IdentityReference2]'raandree1DoesNotExist'                                                                                               Cannot convert value "raandree1DoesNotExist" to type "Security2.IdentityReference2". Error: "Some or all identity references could not be translated."
At line:1 char:1
+ [Security2.IdentityReference2]'raandree1DoesNotExist'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvalidCastConstructorException

If the account exists, it returns an object containing the SID and the account name:

PS C:> [Security2.IdentityReference2]'raandree1randr'                                                                                                      
Sid                                            AccountName     LastError
---                                            -----------     ---------
S-1-5-21-4243879168-3157639941-1836938273-1001 raandree1randr

Thanks for any help troubleshooting this!

raandree

added

Bug

Clearly a bug that need to be fixed

Help Wanted

We need help from the community to get the fixed or added

labels

Jul 25, 2019

@raandree I withdrew the comment as I found I had made a mistake and that was the cause of the error. I didn’t want to muddy the waters with an incorrect report.

I have the same problem. Also NetApp filer. But with DFS pointing to filer.
Setting rights for any account by an user who has full control

Trying to use Add-Ntfsaccess yields the same error for me. Also NetApp with DFS in front. The module has worked for me in the past, feels bad having to fall back to icacls

Trying to use Add-Ntfsaccess yields the same error for me. Also NetApp with DFS in front. The module has worked for me in the past, feels bad having to fall back to icacls

Have you tried making a share on the filer, with root access, and using that to set security?
I have had similar issues with an emc filer back a few years ago, and making a share on top level with «run as root», and a group added there with my admin group in.. I can «Set-NTFSOwner», and «Set-Acl -InputObject» without problems, before those 2 things was not possible, over dfs, or the standard share the dfs was pointing too, which is the same thing.

It works when the running account is the owner of the file, but taking ownership is a bit of an annoyance in most of my cases

It works when the running account is the owner of the file, but taking ownership is a bit of an annoyance in most of my cases

        Set-NTFSOwner -Path "\<unc>datar$Usersau$auid" -Account "UNI$accountname"
        Add-NTFSAccess -Path "\<unc>datar$Usersau$auid" -Account "UNI$accountname" -AccessRights Modify -InheritanceFlags ObjectInherit,ContainerInherit
        Add-NTFSAccess -Path "\<unc>datar$Usersau$auid" -Account "Owner Rights" -AccessRights Modify

This snip from my «user folder creation script» always works, but the share i am accessing this through is an extra one (with the added «r») with only this purpose and «root access». I would recommend you using something a like this (Owner Rights), then users can never mess with the security or anything else really, which is a desired configuration.

I had the same issue but I was able to fix it, or more by-passing it.

Here is a part of my code. Add-NTFSAccess was generating this error 1307. I wrote the script but I’m not the one actually using it. I don’t have enough permissions on servers. So it was difficult to reproduce. I only use literal paths as we need to handle long paths.

Get-Item -LiteralPath (Rename-Path $path) | Get-NTFSAccess | Where-Object { ($_.AccessRights -like '*Modify*') -and ($_.AccessControlType -eq 'Allow') } | Remove-NTFSAccess
	
Write-Host 'Adding read permission(s)...' -Foregroundcolor Yellow 
Add-NTFSAccess -Path (Rename-Path $path) -Account $entries.SID -AccessRights Read -AccessType Allow

Rename-Path function add a prefix to the path as we use extented-length path with the \? prefix. For a network path, the prefix must be \?UNCservershare. For a local path, it’s \?C:folder. So, Rename-Path does that.
Since I use it, I get this error 1307 only with network paths and with a few AD accounts. I replaced the last line with this:
Get-Item -LiteralPath (Rename-Path $path) | Add-NTFSAccess -Account $entries.SID -AccessRights Read -AccessType Allow
And now, the error is gone and the script works well.
Could someone test this?

So, the problem was not what I explained in my previous comment at all. The guy who tested the script just didn’t run it as admin.
But it works with admin rights and he is server admin. So the issue is probably related to privileges.

i am having same problem on windows server 2019 i cant resolve a user/group from the domain but it work with local users, any idea?

If I get the effective permissions from properties-security-advanced window it works for the domain group also.

Local users ok

PS C:Sharesrepo1manyfolders> Get-NTFSEffectiveAccess -Path c:sharesrepo1 -Account "builtinadministrators"


    Path: c:sharesrepo1 (Inheritance disabled)


Account                             Access Rights  Applies to                Type           IsInherited   InheritedFrom
-------                             -------------  ----------                ----           -----------   -------------
BUILTINAdministrators              FullControl    ThisFolderOnly            Allow          False


PS C:Sharesrepo1manyfolders> [Security2.IdentityReference2]'BUILTINAdministrators'

Sid          AccountName            LastError
---          -----------            ---------
S-1-5-32-544 BUILTINAdministrators

domain users: ERROR

PS C:Sharesrepo1manyfolders> Get-NTFSEffectiveAccess -Path c:sharesrepo1 -Account domaindevelopers
Get-NTFSEffectiveAccess : Cannot bind parameter 'Account'. Cannot convert value "developers" to type
"Security2.IdentityReference2". Error: "Some or all identity references could not be translated."
At line:1 char:56
+ ... -NTFSEffectiveAccess -Path c:sharesrepo1 -Account developers
+                                                         ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-NTFSEffectiveAccess], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,NTFSSecurity.GetEffectiveAccess


PS C:Sharesrepo1manyfolders> [Security2.IdentityReference2]'domaindevelopers'
Cannot convert value "domaindevelopers" to type "Security2.IdentityReference2". Error: "Some or all identity
references could not be translated."
At line:1 char:1
+ [Security2.IdentityReference2]'domaindevelopers'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvalidCastConstructorException

@agonzalezm are you running this elevated e.g. «as admin»?

Источник

Hello,

i try to start a process as a user from within a service which runs under localsystem.

Now the Problem is, i get the Error 1307 ERROR_INVALID_OWNER when calling CreateProcessAsUser.
The strange thing is, the method returns true, saying it succeeded.
Sometimes the process starts then, but sometimes the process doesn’t start, even though the method returns true.

Here is my code, it’s in Delphi:

procedure TMyService.CreateNewUserProcess(AUser, APassword, ADomain, AProgram : string);
var
  ltoken,ltoken2 : Cardinal;
  LEnv : Pointer;
  pi : TProfileInfo;
  si : STARTUPINFO;
  pri : _PROCESS_INFORMATION;
  sil : TSecurityImpersonationLevel;
  LUser, LDomain, LPassword, LProgram : string;
//  reg : TRegistry;
  err : Integer;
  created : LongBool;
begin

try
  LUser:=AUser;
  LPassword:=APassword;
  LDomain:=ADomain;
  LProgram:=AProgram;
  try
  FillChar(sil,SizeOf(TSecurityImpersonationLevel),#0);
  sil := SecurityImpersonation;
  if LogonUser(PAnsiChar(LUser),PAnsiChar(LDomain),PAnsiChar(LPassword),LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT,ltoken)then
    begin
    if DuplicateTokenEx(ltoken,TOKEN_ALL_ACCESS,nil,sil,TokenPrimary,ltoken2)then
    begin
    fillchar(pi,sizeof(TProfileInfo),#0);
    pi.dwSize:=sizeof(TProfileInfo);
    pi.lpUserName:=PAnsiChar(LUser);
    if(LoadUserProfile(ltoken2,pi))then
      begin

      if (CreateEnvironmentBlock(
        lenv,
        ltoken2,
        false   //false
      ))then
        begin
        FillChar(pri,sizeof(_PROCESS_INFORMATION),#0);
        ZeroMemory(@si,sizeof(si));
        err:=GetlastError;
        if err<>0 then SNLogger.Log(SysErrorMessage(err),ltBoth);
         created:= CreateProcessAsUser(
            ltoken2,
            nil,
            PAnsiChar(LProgram),

            nil,
            nil,
            false,//false
            CREATE_UNICODE_ENVIRONMENT or CREATE_NEW_PROCESS_GROUP or NORMAL_PRIORITY_CLASS or CREATE_NO_WINDOW,   //TODO: Priorität einstellen?
            lenv,
            nil,
            si,
            pri
            );
        if(created = LongBool(0))then SNLogger.Log('Prozess konnte nicht gestartet werden.',ltBoth);
        else SNLogger.Log('Prozess erfolgreich gestartet.'+BoolToStr(created),ltBoth);
        err:=GetlastError;
        if err<>0 then SNLogger.Log('Prozess konnte nicht gestartet werden. Fehler '+IntToStr(err)+':'+SysErrorMessage(err),ltBoth);
        if not DestroyEnvironmentBlock(lenv)then snlogger.Log('EnvironmentBlock konnte nicht geschlossen werden');
        if not UnloadUserProfile(ltoken,pi.hProfile)then snlogger.Log('UserProfile konnte nicht geschlossen werden');
        if not CloseHandle(pri.hProcess)then snlogger.Log('hProcess konnte nicht geschlossen werden');
        if not CloseHandle(pri.hThread)then snlogger.Log('hThread konnte nicht geschlossen werden');
        if not CloseHandle(ltoken2)then snlogger.Log('ltoken2 konnte nicht geschlossen werden');
        if not CloseHandle(ltoken) then snlogger.Log('ltoken konnte nicht geschlossen werden');


        //snlogger.log(inttostr(GetLastError));
        end else SNLogger.Log('Arbeitsumgebung konnte nicht erstellt werden. '+SysErrorMessage(GetLastError));
      end else SNLogger.Log('Benutzerprofil konnte nicht geladen werden. '+SysErrorMessage(GetLastError));
    end else SNLogger.Log('Duplicate nicht möglich. '+SysErrorMessage(GetLastError));
  end else SNLogger.Log('Login nicht möglich. '+SysErrorMessage(GetLastError),ltBoth);
except
  on e : exception do
    SNLogger.Log('Fehler beim Starten eines Prozesses:'+e.Message+slinebreak+SysErrorMessage(GetLastError),ltBoth);
  end;
finally
snlogger.log('CreateProcess:'+syserrormessage(getlasterror));
end;
end;

The error itself occurs on both Windows Vista and Windows XP. I don’t have access to other systems here.
I already tried to change the inheritance of the rights, but nothing changed.

It would really be great to get a solution for this, because it is a really annoying error…

Источник

While trying to fix minor networ problem I appear to have broken the Workstation Service on my Windows 10 machine.

When I try to start it, I get the error 1307: «This security id may not be assigned as the owner of this object»

This is a single user machine on a private network. I may have messed up the Log on properties of this service and/or the registry settings under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanworkstation.

Can someone tell me, what exactly should be entered in the login properties of Workstation Service? Or what else might be causing my problem?

Solved it myself.
Under Login, I had to write «Network Service», then blank out the password fields.

Thanks RedKnight saved me hours.

Legend. This solved my problem that I’d been tearing my hair out trying to fix.

YES! I can’t believe it took me this long to find this fix. IT WORKED!

Want to reply to this thread or ask your own question?

You’ll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Источник

Posted by Friskee 2015-06-30T03:14:57Z

So an Admin accidentally yanked the power cables to our both of our Domain Controllers. When we tried to turn them back on the PDC would not boot. The admin restored from a backup that was taken that weekend but it seems that since this event the SYSVOL folder has stopped replicating between the 2 servers. I cannot see SYSVOL in the DFSR management console so can I just recreate it or do I have to do really particular process that AD requires?

17 Replies

Neally

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.

pure capsaicin
Friskee wrote:

So an Admin accidentally yanked the power cables to our both of our Domain Controllers…

WTF, how do you «accidently» yank power cables from production servers? Let me fix this for you;

Friskee meant to write:

So an Admin stupidly yanked the power cables to our both of our Domain Controllers…

Anyway back to the matter at hand. What DFS replication errors are you getting. This will help narrow down the issue.

Was this post helpful?
thumb_up
thumb_down
Haha there is now a ban in place for said Admin that he is not allowed to touch the rack unless in SDT.

That’s the thing, there are no errors. It is as if DFSr just disappeared. Reading up and some people are saying to disjoin a DC for a few days then rejoin but if there is no issues with just setting up DFSr from scratch I’d rather do that. If I copy the sysvol folders manually across the DC’s I don’t get GP errors upon login but obviously don’t want to have to do that after each change.

Was this post helpful?
thumb_up
thumb_down
Friskee wrote:

Haha there is now a ban in place for said Admin that he is not allowed to touch the rack unless in SDT.

That’s the thing, there are no errors. It is as if DFSr just disappeared. Reading up and some people are saying to disjoin a DC for a few days then rejoin but if there is no issues with just setting up DFSr from scratch I’d rather do that. If I copy the sysvol folders manually across the DC’s I don’t get GP errors upon login but obviously don’t want to have to do that after each change.

I might have your DFSR replication stopped. Take a look at this. Read through it to understand it.

http://blogs.technet.com/b/filecab/archive/2012/07/23/understanding-dfsr-dirty-unexpected-shutdown-r… Opens a new window

Was this post helpful?
thumb_up
thumb_down
DFSR running on both DC’s and could find a software repository share but not the SYSVOL from the steps in that article.

Was this post helpful?
thumb_up
thumb_down
Friskee wrote:

That’s the thing, there are no errors…

How about if you run dcdiag? Does it report any errors?

Was this post helpful?
thumb_up
thumb_down

So I ran dcdiag again and this time actually had a DFSR event on the PDC. 3 Events all the same all about 2 hours ago:

Text

The DFS Replication service encountered an error while writing to the debug log file. Failure to write to the debug log file can occur because the disk is full, the disk is failing, or a quota limit has been reached for the folder where the logs are written. Logging will be disabled until this error is resolved.

Additional Information:

Error: 1307 (This security ID may not be assigned as the owner of this object.)

Debug Log File Path: C:WindowsDebug

Max Debug Log Files: 999

Debug Log Severity: 4

Max Debug Log Messages: 10000

Text

The full dcdiag report is below:

Text

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = DC1

* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: CityDC1

Starting test: Connectivity

......................... DC1 passed test Connectivity

Testing server: CityDC2

Starting test: Connectivity

......................... DC2 passed test Connectivity

Doing primary tests

Testing server: CityDC1

Starting test: Advertising

......................... DC1 passed test Advertising

Starting test: FrsEvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... DC1 failed test FrsEvent

Starting test: DFSREvent

......................... DC1 passed test DFSREvent

Starting test: SysVolCheck

......................... DC1 passed test SysVolCheck

Starting test: KccEvent

......................... DC1 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... DC1 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... DC1 passed test MachineAccount

Starting test: NCSecDesc

......................... DC1 passed test NCSecDesc

Starting test: NetLogons

......................... DC1 passed test NetLogons

Starting test: ObjectsReplicated

......................... DC1 passed test ObjectsReplicated

Starting test: Replications

......................... DC1 passed test Replications

Starting test: RidManager

......................... DC1 passed test RidManager

Starting test: Services

......................... DC1 passed test Services

Starting test: SystemLog

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:27:46

Event String:

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:27:48

Event String:

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:32:47

Event String:

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:32:48

Event String:

......................... DC1 passed test SystemLog

Starting test: VerifyReferences

......................... DC1 passed test VerifyReferences

Testing server: CityDC2

Starting test: Advertising

......................... DC2 passed test Advertising

Starting test: FrsEvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... DC2 passed test FrsEvent

Starting test: DFSREvent

......................... DC2 passed test DFSREvent

Starting test: SysVolCheck

......................... DC2 passed test SysVolCheck

Starting test: KccEvent

......................... DC2 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... DC2 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... DC2 passed test MachineAccount

Starting test: NCSecDesc

......................... DC2 passed test NCSecDesc

Starting test: NetLogons

......................... DC2 passed test NetLogons

Starting test: ObjectsReplicated

......................... DC2 passed test ObjectsReplicated

Starting test: Replications

......................... DC2 passed test Replications

Starting test: RidManager

......................... DC2 passed test RidManager

Starting test: Services

......................... DC2 passed test Services

Starting test: SystemLog

......................... DC2 passed test SystemLog

Starting test: VerifyReferences

......................... DC2 passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : DOMAIN

Starting test: CheckSDRefDom

......................... DOMAIN passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DOMAIN passed test CrossRefValidation

Running enterprise tests on : DOMAIN.local

Starting test: LocatorCheck

......................... DOMAIN.local passed test LocatorCheck

Starting test: Intersite

Doing intersite inbound replication test on site City:
......................... DOMAIN.local passed test Intersite

Text

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = DC1

* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: CityDC1

Starting test: Connectivity

......................... DC1 passed test Connectivity

Testing server: CityDC2

Starting test: Connectivity

......................... DC2 passed test Connectivity

Doing primary tests

Testing server: CityDC1

Starting test: Advertising

......................... DC1 passed test Advertising

Starting test: FrsEvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... DC1 failed test FrsEvent

Starting test: DFSREvent

......................... DC1 passed test DFSREvent

Starting test: SysVolCheck

......................... DC1 passed test SysVolCheck

Starting test: KccEvent

......................... DC1 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... DC1 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... DC1 passed test MachineAccount

Starting test: NCSecDesc

......................... DC1 passed test NCSecDesc

Starting test: NetLogons

......................... DC1 passed test NetLogons

Starting test: ObjectsReplicated

......................... DC1 passed test ObjectsReplicated

Starting test: Replications

......................... DC1 passed test Replications

Starting test: RidManager

......................... DC1 passed test RidManager

Starting test: Services

......................... DC1 passed test Services

Starting test: SystemLog

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:27:46

Event String:

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:27:48

Event String:

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:32:47

Event String:

A warning event occurred. EventID: 0x00009016

Time Generated: 06/30/2015 15:32:48

Event String:

......................... DC1 passed test SystemLog

Starting test: VerifyReferences

......................... DC1 passed test VerifyReferences

Testing server: CityDC2

Starting test: Advertising

......................... DC2 passed test Advertising

Starting test: FrsEvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... DC2 passed test FrsEvent

Starting test: DFSREvent

......................... DC2 passed test DFSREvent

Starting test: SysVolCheck

......................... DC2 passed test SysVolCheck

Starting test: KccEvent

......................... DC2 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... DC2 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... DC2 passed test MachineAccount

Starting test: NCSecDesc

......................... DC2 passed test NCSecDesc

Starting test: NetLogons

......................... DC2 passed test NetLogons

Starting test: ObjectsReplicated

......................... DC2 passed test ObjectsReplicated

Starting test: Replications

......................... DC2 passed test Replications

Starting test: RidManager

......................... DC2 passed test RidManager

Starting test: Services

......................... DC2 passed test Services

Starting test: SystemLog

......................... DC2 passed test SystemLog

Starting test: VerifyReferences

......................... DC2 passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : DOMAIN

Starting test: CheckSDRefDom

......................... DOMAIN passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DOMAIN passed test CrossRefValidation

Running enterprise tests on : DOMAIN.local

Starting test: LocatorCheck

......................... DOMAIN.local passed test LocatorCheck

Starting test: Intersite

Doing intersite inbound replication test on site City:
......................... DOMAIN.local passed test Intersite

Was this post helpful?
thumb_up
thumb_down

From a command prompt:

dfsrdiag dumpmachinecfg

Look at the debug log file path, is the drive it’s hosted on full?

Was this post helpful?
thumb_up
thumb_down
Rockn

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.

mace

Run repadmin /syncall from each of the DCs and see what is being reported.

Was this post helpful?
thumb_up
thumb_down
PatrickFarrell wrote:

From a command prompt:

dfsrdiag dumpmachinecfg

Look at the debug log file path, is the drive it’s hosted on full?

Debug path is just C drive with 66GB free
Text
```
Run repadmin /syncall from each of the DCs and see what is being reported.
```
Operation Succeeded

PS C:Windowssystem32> repadmin /syncall

CALLBACK MESSAGE: The following replication is in progress:

From: 9ed499dd-d69f-4ea9-9442-9ca3489f2847._msdcs.DOMAIN.local

To : 37f17cc9-beba-4174-a462-4422890cd83c._msdcs.DOMAIN.local

CALLBACK MESSAGE: The following replication completed successfully:

From: 9ed499dd-d69f-4ea9-9442-9ca3489f2847._msdcs.DOMAIN.local

To : 37f17cc9-beba-4174-a462-4422890cd83c._msdcs.DOMAIN.local

CALLBACK MESSAGE: SyncAll Finished.

SyncAll terminated with no errors.

PS C:Windowssystem32>

Was this post helpful?
thumb_up
thumb_down
Check the security settings on the SYSVOL root folder. The error Error: 1307 (This security ID may not be assigned as the owner of this object.) indicated that SYSVOL cannot be accessed by the System.

Permissions should be;

SYSTEM — Full Control

Auth Users — Read and Execute

Server Ops — Read and Execute

Admin — Full Control

CREATOR OWNER — Full Control

Was this post helpful?
thumb_up
thumb_down
Rockn

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.

mace

It almost sounds like a USN rollback issue since the PDC was restored from a backup. If any changes were made just prior to the restore this could be the issue.

https://support.microsoft.com/en-us/kb/875495 Opens a new window

Was this post helpful?
thumb_up
thumb_down
Prototype wrote:

Check the security settings on the SYSVOL root folder. The error Error: 1307 (This security ID may not be assigned as the owner of this object.) indicated that SYSVOL cannot be accessed by the System.

Permissions should be;

SYSTEM — Full Control

Auth Users — Read and Execute

Server Ops — Read and Execute

Admin — Full Control

CREATOR OWNER — Full Control

Set perfectly

@Rockn
AD objects replicate perfectly well only the SYSVOL folder is not.

Was this post helpful?
thumb_up
thumb_down
Rockn

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.

mace

How can it be replicating perfectly if the SYSVOL is not replicating? I am confused as to what the problem is then. How many replication partners are there?

Was this post helpful?
thumb_up
thumb_down
3 DC’s (one is at a DR site)

I can create a group or user on DC1 and a few seconds later I can see it on DC2

The SYSVOL NTFS share does not replicate the changes made when I change a group policy

Was this post helpful?
thumb_up
thumb_down
Rockn

This person is a verified professional.

Verify your account
to enable IT peers to see that you are a professional.

mace

Look at the USN rollback KB. Replication is not happening for group policy. In particular look at the heading for Detecting a USN rollback on a domain controller that is running Windows Server

Look for kerberos entries in your event logs as well.

Was this post helpful?
thumb_up
thumb_down
No Kerberos issues and the repadmin /showutdvec command mentioned in the article shows no issues between all 3 DCs.

Was this post helpful?
thumb_up
thumb_down

Read these next…

Green Brand Rep Wrap-Up: January 2023

Spiceworks Originals

Hi, y’all — Chad here. A while back, we used to feature the top posts from our brand reps (aka “Green Gals/Guys/et. al.) in a weekly or monthly wrap-up post. I can’t specifically recall which, as that was approximately eleven timelines ago. Luckily, our t…
Help with domain controller setup

Windows

I just got a new job as the only IT person for a business with around 270 employees (I would say probably less than half use computers) They don’t have any policies or procedures when it comes to IT, as they have never had an IT person. My background cons…
Malicious URLs

Security

We have firewall, we have endpoint protection, we have Safe links and Attachments for Office 365 (Microsoft Defense for Office 365 Plan 1), and still receiving links that lead to malicious web sites.It seems like security companies still didn’t develop a …
Snap! — Old Batteries, Lovable Bots, Quantum Breakthrough, Should We Trust AI?

Spiceworks Originals

Your daily dose of tech news, in brief.

Welcome to the Snap!

Flashback: February 8, 1996: The massive Internet collaboration “24 Hours in Cyberspace” takes place (Read more HERE.)

Bonus Flashback: February 8, 1974: Americans end outer spa…
Large collection of Mac Minis

Best Practices & General IT

We are getting rid of a lot of older equipment that doesn’t have a purpose anymore on our campus. Most of it is 2010 and 2014 Mac Minis. When they were purchased, they were the absolute base model, so nothing special about them. I’ve reached out to multip…

Источник

Обычно вы можете приобрести NTFS только право собственности на объекты файловой системы для себя. Вы не можете установить право собственности на третье лицо. (Это препятствует тому, чтобы пользователи, например, хранили компрометирующие или инкриминирующие данные под собственностью другого ничего не подозревающего человека.)

В политике безопасности есть привилегия «восстановить файлы и каталоги». Microsoft заявляет:

Этот параметр безопасности […] определяет, какие пользователи могут установить действительные участники безопасности в качестве владельца объекта.

Видимо, вам нужна эта привилегия для копирования права собственности. Robocopy должен работать в контексте безопасности, который позволяет устанавливать владение произвольным принципалам.

По умолчанию локальные администраторы имеют эту привилегию:

По умолчанию это право предоставляется группам «Администраторы», «Операторы архива» и «Операторы сервера» на контроллерах домена, а также группам «Администраторы» и «Операторы архива» на автономных серверах.

(Привилегия «восстановить файлы и каталоги» является частью политики. Возможно, вам придется выйти и снова войти, чтобы она вступила в силу.)

Источник

Since the problem is caused by Domain A credentials being rejected by Domain B, you need to find out from Windows admins what can be done. This is not a NBU issue.

NBU gives you two choices:

1) Restore with original access control attributes
2) Restore without original access control attributes

The NBU image has no knowledge whatsoever of Domain B credentials.
Image was backed up with Domain A credentials. This is what can be restored.
There is no other choice.

You say restore is successful without access control, but ‘is useless for my customer….‘

What does customer expect? That file owned by Marianne in Domain A must be restore with which credentials in Domain B that does not know about a user called Marianne?

Does it not make sense to have a file without any credentials that can manually be set in new domain?
I do understand that there are probably thousands of files, but the issue here is with Windows Active Directory…

Источник

Вопрос

Ответы

Advertisements

Advertisements

17 Replies

Read these next…

Green Brand Rep Wrap-Up: January 2023

Help with domain controller setup

Malicious URLs

Snap! — Old Batteries, Lovable Bots, Quantum Breakthrough, Should We Trust AI?

Large collection of Mac Minis