Any Windows AD/Permissions experts out there?

I have a weird problem with a terminal server and I can’t figure it out. We have a profile JDE that has administrator rights on the server. I didn’t have a problem until one day I log in and it doesn’t display the C: Drive and I don’t have access to the administrator tools in the Start menu. I can login with my domain admin account and everything is fine. Somehow, the JDE account lost it’s admin rights on that server. JDE is still in the administrator group. I don’t understand what is going on. We have two terminal servers setup identically and when I log into the good one I see the C: Drive and can do everything I need to. It is the other one that just stopped working.

Here is what I have checked/done:

  1. Checked group policy on the server through MMC. Nothing in there seems to be out of place. Maybe I missed an option in one of the drop downs? Where should I look specifically?
  2. Checked all the User/Groups in Computer Management and JDE is only in the administrator group
  3. Deleted the terminal server profile folders and rebooted and tried logging in so it creates a new profile. Nada.
  4. Checked msconfig for any weird startup programs. Nada

What else could I check? We are running Windows Server 2k3 if that makes a difference.

It’s been a while since I did a whole lot of sysadmin stuff, but I want to say that you can set specific permissions for an individual user without dipping into the group policies, can’t you? I don’t think that you’re supposed to do both at the same time, but I think it’s possible. Of course, I could also be talking entirely out my ass - my normal method of dealing with AD problems is to keep hitting things with a metaphorical hammer until they straighten up and fly right.

Is this a domain user or a local user?

domain user.

Which MMC snap-in are you using? The Group Policy Management Console should make it easier to see if there are any custom group policy objects attached specifically to that user, not just the groups he’s in. (I’m not sure how Server 2008 does it, if you’re using that.)

I had a similar problem with a domain account which was only used by a process, and I was forced to run a profile/permissions debugger script off of a Microsoft KB article download. It went through everything, and after a few hours, gave me a list of potentially corrupt ACLs. I went and fixed each manually (yes, you heard me), and eventually got the account back up into tip-top shape. My eventlog is still, to this day, cluttered with some permissions-based errors, but the debugger doesn’t pick up anything out of the ordinary.

So you have two windows 2K3 Terminal Servers which used to both work correctly and now one is misbehaving but the other still works correctly? (And by work correctly I mean the stuff like logging in as JDE (an admin equivalent) and being able to see the C: drive, use AdministrativeTools…)

Neither of these TSes is a Domain Controller or BDC is it? Stuff like this happens when that is the case.

Assuming not all I can say is try this:

Rather than use the Group Policy Editor you find in Administrator Tools type “gpedit.msc” in the run line on each server and open Group Policy Object Editor. It will be somewhat laborious but compare the two. I’d focus on this part of the tree: Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights. But if you don’t find any differences there check around everywhere else. And good luck.

Have you run a Resultant Set of Policy against the account in question to see what access it has on the system?

They were identical on both servers. I’m working on this today in between other things. Thanks for the suggestions everyone. Hopefully I find the culprit.