What does User/Machine Audit log shows? What is also shown in SbClientLog.txt files? Did you inspect those?
The user audit only shows the usual things like last logon times and recovery messages. Nothing suspicious there.
Though the machines have existed for some time now, the audit logs show no entries.
And to top this off, the SbClientLog shows one succesful sync after another.
At the top of the file can be seen that the users are added to the machine, then there's a lot of regular syncing over the next time, but never anything about removing users or being unable to read or write any attributes.
usually this is because you are looking at the wrong object in the db - get the machine ID from the pre-boot screen and compare that to the object ID in the database - in the case of a machine syncing, but having a different policy that the one in the db, people usually find they are different.
When the next case arises we will compare the IDs just to be on the safe side, but I just realized I didn't mention added users would also work on such a machine.
You see the empty users list, add a new user to this list, sync the machine and the user can successfully log in. As can the previously existing users, though they are still not displayed in the db.
So the machine object seems to be the right one.
Ok. We've got another machine now.
The users are assigned and there is an audit trail for the machine object.
Still the users are not displayed in the "users" section of the machine object's properties.
I'll post the ID as soon as I get it.
The ID on the machine is the same as the object's that I'm looking at in the database.
perhaps the admin account you are using has restricted groups? If so you won't be able to see any of the objects in the groups you don't have rights to?
No, the account does not have group restrictions.
It even has full admin rights.
I can see the user object & group, the machine & group and there isn't even a group assigned that would be on a higher level than my account.
On a machine that DOES have such a higher group or user assigned, I can still see it, but just can't do certain things. Exactly as it should be.
As a test, login with account that has level 32 and full set of rights.
Sorry. Can't do that.
Level 32 is restricted to a user who's password is stored somewhere secure.
Max level for our team is 25 and our regular level is below that.
No setting or user relevant to the machines or users in question can be higher than this.