Forest Trust Issues (Group Membership Issues)

Similar Messages

• Question on Group Membership issue in installation

  Hi,
  I am installing the Oracle DB and got this error in the 'Prerequisite Checks':
  'Group Membership: <GroupName>
  This is a prerequisite condition to test where user "<userID>" is a member of the group "<GroupName>"

  SD wrote:
  Hi,
  I am installing the Oracle DB and got this error in the 'Prerequisite Checks':
  'Group Membership: <GroupName>
  This is a prerequisite condition to test where user "<userID>" is a member of the group "<GroupName>"consider reading & following the Installation Guide found at http://tahiti.oracle.com

• Single Label Domain - Corss Forest trust issue!

  Hello There
  We have a single label root domain ex: "abc" trying to establish the external trust with the other forest's root domain which is FQDN ex: xyz.com. The trust seems to be working fine from abc to xyz.com however the trust from xyz.com to abc is an
  issue.
  We are not able to resolve/ping domain abc from xyz.com DC. We are able to ping DCs in abc from xyz.com.
  On xyz.com DNS forwarder are pointing to abc DNS server and WINS has been configured to route to abc WINS. Everytime when I ping abc from xyz.com DC its pointing to some unknown IP.
  on the xyz.com DC tried setting up the registry key AllowSingleLabelDnsDomain, updated the LMHOSTS and host file with abc domain but still unable to resolve the single label domain. We could not suspect that its an issue with the network as we are able to
  ping abc domain DCs from xyz.com
  Thanks in advance.

  Hi,
  It’s not recommended to use LMHOSTS file. Instead, we can use conditional forwarders or secondary DNS zones for DNS resolution between the
  two forests. Besides, we need to open required ports for building inter-forest trust.
  Regarding how to configure name resolution between two forests, the following article can be referred to for more information.
  Trust relationship between Two external forest / Name Resolution
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/f0f384c5-f421-4592-88db-409c171b0567/trust-relationship-between-two-external-forest-name-resolution?forum=winserverDS
  Best regards,
  Frank Shen

• Forest trust - security issues and how to avoid

  Hi guys,
  I have few questions.
  1/Planning do Forest trust.We have Forest + Domain functional level at WS 2003 level.
  In case of trust what are the security issues and how to avoid them? Meant something like browsing in AD, possible hacking from new destination etc.
  2/ What in case that the trust will not be possible create because of security reasons (rejected by other company)? What can be an workaround for that? I have idea with resource forest or ADFS? Any other ideas?
  Thanks in advance or for a good link to study about.
  Petr Weiner

  Other than broad general answers it is difficult to answer this from the negative side.  I work in a very large company where we have hundreds of domains with one way trusts in place and I don't believe we have any security issues in place.  With
  the large numbers of domains we can't operate in any other fashion.  We have a user forest and many resource forests.  All of our domains and forests are operated and maintained within the company but if you have domains operated by different departments
  then you can run into issues on who trusts.  Also if you need to have a situation where you need to trust other companies then you start to look at ADFS, you can also use it internally for many applications as well as cloud services.  But as I already
  mentioned you haven't detailed what exactly is going on so it is hard to try and give you a concrete answer.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• WS2012r2 - Cross-forest trust - Can add groups to user but when I open it again, groups are not listed

  Hello Everyone,
  I hope you can help me resolve this issue, I'm missing something but I don't know what.
  I have 2 ws2012r2 domain controllers, each one with it's own forest (Lets call them A.com and B.com).
  I have a validated 2 way external trust relationship between those domains.
  I've added the domain admin "B\Administrator" to the DL group "A\Administrators", so I have permissions to modify everything on A.com
  From "Active Directory Users and Computers" on B.com, I can see all users and "Domain Local" groups of A.com
  From "Active Directory Users and Computers" on A.com, I can see all users and "Domain Local" groups of B.com
  What I need: Add users from B.com to DL groups in A.com using the "B\Administrator" account
  The problem: I'm able to open a user from B.com, add a DL group from A.com, click Apply, then OK.
  But if I open the user again and go to the "Member of" tab, the group is no longer listed there.
  If I go to the A.com domain and open the DL group membership tab, I can see the user from B.com listed there.
  So there's something wrong, cause even If the user is listed in the group in A.com, It's not assigning the right permissions when trying to access the resources that group grants access to.
  Any ideas what did I do wrong ot forget to do?
  Thanks!

  Hi,
  Have you tried to take a force replication or refresh and then check the membership? Please verify DNS is well configured and we got a GC in both sides of the two forests.
  In addition, please take a look at the below link:
  Understanding the Global Catalog
  Hope that may help
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• ARB issue: Group Scale Grid

  Posted last night:
  http://opensource.adobe.com/wiki/display/flexsdk/Group+Scale+Grid
  Comments appreciated.

  On Tuesday 24 Feb 2009, Matt Chotin wrote:
  > ARB issue: Group Scale Grid
  I've commented there. Will I get email of follow up comments ? There doesn't
  seem to be a 'subscribe' option.
  Tom Chiverton
  Helping to preemptively negotiate customized efficient unique IPOs
  as part of the IT team of the year, '09 and '08
  This email is sent for and on behalf of Halliwells LLP.
  Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the
  registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority.
  CONFIDENTIALITY
  This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500.
  For more information about Halliwells LLP visit
  www.halliwells.com.

• To enable filtering the Purchase Orders based on Purchasing Group in Issue

  Hi All,
  We are facing one issue
  Currently we are working with Extended Classic Scenario with SRM 5.0 and support pack 11
  If the buyer uses Issue PO transaction in SRM, there are POs from all the buyers.
  There is no filter to allow the buyer to display only POs relevant for his/her Purchasing group.
  To enable filtering the Purchase Orders based on Purchasing Group in Issue Purchase Order transction, we found one
  OSS note : 1162884 - BBP_PPF: Purchasing group as search criteria for PO
  But we found that this oss note is not applicable for our system version
  Could you please help me to resolve this issue by any suggestion or by any other oss note?
  Thanks
  Snehal

  Hi Snehal,
  There is a easy way to do that.
  Go to buyer role in PFCG transaction and look for profile and go inside profile ...look for your transaction...
  for Process PO  transaction -  BBP_PD_PO and you have field BBP_PURGRP...using which you can restrict it on purchasing group..
  You may have to copy same role and create new roles based on purchasing group..
  I feel that basis or Security and Authorization team can help you in this matter.
  Regards,Nishant

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• Server 2012 R2 no longer able to query objects in a trusted domain over a Forest Trust using Selective Authentication

  I have a scenario in which our enterprise activation servers exist in a domain that is in a separate forest than our offices.  Currently all our domain controllers are 2008 R2 with domain and forest functional levels at 2008 R2.  We have set
  up two-way forest trusts with our office domains using selective authentication.  We then give the domain controllers from our licensing domain the "Allowed to Authenticate" right to the domain controllers in the office domain.  On the
  server 2008 R2 domain controllers in the office domain, we can browse to the appropriate objects in the licensing domain after being presented with an authentication window that allows us to enter credentials for the licensing domain.  However, after
  installing a 2012 R2 domain controller in an office domain, we can not use the 2012 domain controller to browse to the objects in the licensing domain.  It never asks for credentials for the licensing domain when we specify the objects we want to add
  from the licensing domain.  I simply states that the object can not be found.  When I look at the domain controller in the licensing domain, I see that the domain controller in the office domain is attempting to pass the credentials of the user that
  is logged on and this is failing since this user has no rights in the licensing domain.  I can still use a 2008 R2 domain controller in the office domain to add the rights and it works like it always has.  Can somebody tell me why this is happening
  and how to correct it?

  Hi,
  Based on my research, this is a known issue in Windows Server 2012 R2.
  According to the article below: “The Selective Authentication feature of selective trusts is
  not functional. Access to resources enabled by “Allowed to Authenticate” will fail. There is no workaround at this time”.
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Best Regards,
  Amy Wang

• Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

  Dear Admins,
  We're running a Weblogic 10.3.0 cluster with our own software deployed.
  We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
  Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
  Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
  We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
  In the Managed server we see this error (with test user):
  Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
  method=create, methodInterface=Home, signature={}.
  When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
  Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
  Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
  Group Hierarchy Cache TTL: 3600
  provider specific settings :
  Group Membership Searching: unlimited
  Max Group Membership Search Level: 0
  Also in Myrealm -> Performance we have set :
  Enable WebLogic Principal Validator Cache
  Max WebLogic Principals In Cache: 5000
  If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
  This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
  I'm more then willing to provide more info or config files
  Edited by: user5974192 on 21-nov-2012 5:17

  This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
  Edited by: user572625 on Aug 25, 2011 11:54 PM

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• Group Membership under Settings/My Account is not updating

  We use an External table for User permissions/Groups to get updated in Group Membership.
  We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
  -Dinesh

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

• Group membership on AD-bound server is not updating correctly

  I have a 10.6.4 server that is bound to AD with Win2008 domain controllers. I am seeing group membership not update properly on this OS X server. If I type "id -p username" I don't get a full list of groups the user is a member of. If I launch Workgroup Manager, all of the groups are listed. I am using the box as a Subversion server and need the group updates to propagate from AD for Apache authentication to work correctly. Any ideas as to why the propagation is not happening? Is there a way I can flush whatever cache might be causing an issue? Can the group membership list be "refreshed"?

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.