DOCUMENT:Q306642 18-SEP-2001 [sms] TITLE :SMS: Permissions Assigned to Default Domain Local or Local Group PRODUCT :Microsoft Systems Management Server PROD/VER::2.0 OPER/SYS: KEYWORDS:kbsms200 kbsms200bug smsinst ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server version 2.0 ------------------------------------------------------------------------------- SYMPTOMS ======== After you apply the hotfix that is described in Microsoft Knowledge Base article Q266712 on your Systems Management Server (SMS) 2.0 primary site server, users of the SMS Administrator console may be unable to enumerate SMS objects such as collections. This problem can occur regardless of whether the SMS provider (either on the SMS site server or on Microsoft SQL Server) is installed on a member server or a domain controller. Before you applied the hotfix, users could successfully inherit permissions that were assigned to the default domain local or default local computer groups. Examples of the default local groups involved include the Administrators and Power Users groups. For additional information about the hotfix in Q266712, click the article number below to view the article in the Microsoft Knowledge Base: Q266712 SMS: Security Based on Global Groups Fails in Windows 2000 Domains CAUSE ===== When the SMS provider enumerates a user's group membership, it returns the default groups as "BUILTIN." For example, if you assign permissions to the Domain1\Administrators group in SMS Security and then log on as a member of that group, the SMS provider interprets the group membership as BUILTIN\Administrators; you would not receive the assigned permissions. Note that custom user groups that are created by the administrator are not "BUILTIN," and do not experience this problem. WORKAROUND ========== When you define permissions for default (built-in) local groups in the SMS Administrator console, specify "BUILTIN" instead of the domain or computer name. For example, specify "BUILTIN\Administrators" in the SMS User Wizard. STATUS ====== Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article. Additional query words: prodsms ====================================================================== Keywords : kbsms200 kbsms200bug smsinst Technology : kbSMSSearch kbSMS200 Version : :2.0 Issue type : kbbug Solution Type : kbpending ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.