|
Yesterday morning I had a call from a client's IT person requesting help with one of our applications. The application and supporting files are kept on a network share and are used by two users in this case. Users typically have 'full rights' to the program folder. For this client, this arrangement has worked flawlessly for many years...until last week. Suddenly both users started getting 'Access Denied' windows security warnings when trying to start the program. (naturally, they assumed these were our error messages!) I spent half an hour on the phone trying to walk this junior IT person (everyone else is out on vacation) through troubleshooting the permissions issue. From the server, it appears as though the users have the required privileges, but still navigating to the program folder through explorer prompts for credentials. I have the tech enter her credentials, she gains access, and the application works as expected. Problem solved?...not so fast...she mentioned that she would reboot, try again and let me know the results. Knowing that the issue was not going away, I mentioned a few other possible things to check while trying to drive home the fact that my application is not the problem. Troubleshooting windows AD security/permissions problems are not fun, but it's part of your job. I've received another email this morning telling me that she has tried everything but is still getting the 'Access Denied' message from our program.
"Go forth into the source" - Neal Morse
|
|
|
|
|
Well - you might be able to pass the buck by telling her that she should call the manufacturer of the server?
or, being a bit more serious,
Is it possible to send her off on an honest (but merry) chase as to what changed on the system between the last successful run and the first failure. Window Update, for example? TC/VM update? I've had two perfectly good applications get put to death by an update to the VM's.
You could pleasantly insist that this is vital information in order for you to diagnose the problems. Buck passed (virtually).
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "As far as we know, our computer has never had an undetected error." - Weisert | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Good advice! Thanks!
"Go forth into the source" - Neal Morse
|
|
|
|
|
Did she try to turn it off and on again?
while (true) {
continue;
}
|
|
|
|
|
Well, of course I asked if the file server could be rebooted...who knows with AD...maybe acl on the server is not current with client token??? I'm a coder not a network security expert!
"Go forth into the source" - Neal Morse
|
|
|
|
|
That was just a reference to The IT Crowd[^]
while (true) {
continue;
}
|
|
|
|
|
Cool! I'll have to check it out!
"Go forth into the source" - Neal Morse
|
|
|
|
|
Who...who are you, and why don't you already know about The IT Crowd?
|
|
|
|
|
I suppose I need to add BBC to my fav list then!
"Go forth into the source" - Neal Morse
|
|
|
|
|
Well you probably should but "The IT Crowd" was on Channel 4 (aka 'not the BBC')
|
|
|
|
|
I found it on netflix. It was funny but it couldn't hold my adhd attention span.
Jack of all trades, master of none, though often times better than master of one.
|
|
|
|
|
We've had problems with AD being a butthead in the past as well. Usually a reboot of the domain controller (and any secondary controllers) fixes the issue.
Most recently for us, the primary DC had temporarily failed over to the secondary, then the secondary refused to relinquish once the primary was ready again. The secondary wasn't serving rights requests properly either, and half the clients on the domain either were getting denied messages like you're seeing, or just plain didn't know which controller to ask. Rebooting both fixed the issue (primary first, I believe, but INANA.)
|
|
|
|
|
Sounds like you already told them and since they didn't hear you, it probably won't go away till the issue is fixed (or you don't answer the phone ). You might mention to them to add/re-add the server and/or pcs to the domain. It happens to us fairly regularly, shouldn't but it is Microsoft. I think the security tokens get screwed up and doing that seems to straighten it out.
Jack of all trades, master of none, though often times better than master of one.
|
|
|
|
|
Thanks! I'll pass on this good advice!
"Go forth into the source" - Neal Morse
|
|
|
|
|
You sell the software and service and support ?
You (your company) should help fix the problem, even if it is not your fault, according to pre-defined support procedures (and more so if it is a paid support).
If you find a solution and or acceptable (by both parties) workaround, then publish it and report the issue as fixed (in your bug/support call tracker).
If you cannot find an acceptable solution or workaround, escalate the issue with you own manager; tell him what you did and what the client did and check with him what would be the next steps in regards to fixing the issue.
Good luck.
I'd rather be phishing!
|
|
|
|
|
Yes, it is paid support, and I absolutely intend to continue to help get it resolved even if it means taking it up the chain on their end. As a last resort, I can help her move the application folder onto each user's machine. (sql database, so no worries there) Not ideal, but it will work.
"Go forth into the source" - Neal Morse
|
|
|
|
|
I've had problems in the past where a user's password has expired at some point after logging in, where an application asks AD for authorisation using the cached credentials after the point of expiry. Getting the user to change their password cured the problem
=========================================================
I'm an optoholic - my glass is always half full of vodka.
=========================================================
|
|
|
|
|
kmoorevs wrote: ...but still navigating to the program folder through explorer prompts for credentials. That right there is proof enough that your program is not even involved.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
DavidCrow wrote: That right there is proof enough that your program is not even involved.
Exactly! I probably incorrectly assumed that the tech would understand that and remove me from the equation, but I've just received yet another email asking for help. This time I will remote in and 'see' what is going on.
"Go forth into the source" - Neal Morse
|
|
|
|
|
Had a similar problem a few decades back with a program that would print custom reports. The customer said printing was no longer working. Our support guys worked their way backward and found that the customer's computer could not even print from a command (i.e., DOS) prompt, thus removing our program from the problem. When they still insisted on help, we told them we'd have to charge them a support call. I don't remember what happened after that.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
The weather is tres bon and I'm orf to pick up Mrs Wife and girls for afternoon drinkie-poos.
I wonder how North America's doing, just starting their working day.
Have a good weekend y'all.
veni bibi saltavi
|
|
|
|
|
It's chucking it down in Devon, I'll tell you that! A lot more poo than drinkie!
|
|
|
|
|
Same in Wales...but we call that a Welsh Summer.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Out my window it's sunny and bright, the humidity's dropped. However, just as a reminder: North America's a bit larger than Wales (or Hungary). Pretty much any kind of weather you'd care to enjoy is available.
In fact - later in the day I'm sure we can rustle ya' up a tornado or two. Just nowhere near me. All we can offer is periods of rain all weekend . . . or not. Nat'l Weather Service and its clones seem to be getting less reliable with each passing prediction-software upgrade.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "As far as we know, our computer has never had an undetected error." - Weisert | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Hah! In Wales, any kind of weather you'd care to enjoy is available - provided it involves rain at some point.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|