Windows – Unable to add theself to any ACL while using Azure AD

When I received a new laptop at the beginning of the week, the initial setup walked me through gaining access to my workplace's domain using my work email address, which is also associated with my Microsoft MSDN and/or Office 365 account, I believe. Things were working OK, mostly, but I was having to enter my password more often than I liked, so I decided to formally join my system to the domain. When I tried to do this, I got an error message that I cannot join a domain when I'm already joined to Azure AD. I hadn't heard of that before, but I followed the steps to remove myself from Azure AD and then join the domain.

At this point, things were working better, but I noticed that I now had two profiles with the same domain and user name. My account name is (for example) MYCOMP\bmarty, and I had two directories under C:\users:

C:\users\bmarty
C:\users\bmarty.MYCOMP

I also noticed that if I wanted to add my account to have access to SQL server or to a directory or file, I could not enter MYCOMP\bmarty to refer to my account. I had to enter my email address, and then my account would resolve properly, and I could get added to the ACL for SQL Server or the file.

Then I found out I should not be on the domain because I am only a contractor using an external device, and not using a system managed by the company. So I deleted all my profiles and added myself back to Azure AD using my email address.

Now my problem is, I can't resolve my account name to grant it access to any resources. The old MYCOMP\bmarty references are obsolete (the account I use to log in now once again does not resolve to the same SID). And now when I try to type MYCOMP\bmarty or my email address I get error messages. When I use MYCOMP\bmarty, I get the message:

The following object is not from a domain listed in the Select
Location dialog box, and is therefore not valid: mycomp\bmarty

When I use my email address, I get the message:

An object (User or Built-in security principal) with the following
name cannot be found: "bmarty@mycomp.com". Check the selected object
types and locations for accuracy and ensure that you have typed the
object name correctly, or remove this object from the selection.

How am I supposed to add the account with which I'm currently logged into Windows to an ACL now? I confirmed that whoami reports mycomp\bmarty and whoami /upn reports bmarty@mycomp.com. I used whoami to look up my SID, but SQL Server's ACL editor (which looks standard just like everywhere else) did not resolve that either, giving me the last error message above.

Best Answer

Although the ACL editors are failing to validate the account name using the provided inputs, there are other means of granting access.

In SQL Server, just type the account name (MYCOMP\bmarty) into the user name field without using the ACL editor. This actually works and allowed me to log in with Windows Authentication and get access to the extra resources

To address file access, in an administrative command prompt access can be granted to a file with the icacls command:

icacls mydir /grant mycomp\bmarty:(F,WDAC) /T

Best Answer

Related Solutions

Windows – How to add Azure Active Directory User to Local Administrators Group

Windows 10 NTFS permissions for Azure AD account

Related Question