DOCUMENT:Q240155 06-AUG-2002 [sms] TITLE :MMC Security Rights Do Not Work with More Than 64 Global Groups PRODUCT :Microsoft Systems Management Server PROD/VER:winnt:2.0 OPER/SYS: KEYWORDS:kbSecurity kbsms200 kbsms200bug kbsmsAdmin kbsms200sp2fix ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server version 2.0 ------------------------------------------------------------------------------- SYMPTOMS ======== If a user is a member of more than 64 global groups, that user may be unable to gain access to the Microsoft Management Console (MMC) Systems Management Server (SMS) Administrator Console nodes using class permissions inherited from global group membership. CAUSE ===== This behavior occurs because SMS Provider incorrectly enumerates the global groups of which the user is a member and may not get the global group to which the permissions are applied. RESOLUTION ========== To resolve this problem, obtain the latest service pack for Systems Management Server version 2.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: Q236325 How to Obtain the Latest Systems Management Server 2.0 Service Pack WORKAROUND ========== To work around this behavior, grant explicit class rights to user accounts instead of to global groups. STATUS ====== Microsoft has confirmed this to be a problem in Systems Management Server version 2.0. This problem was first corrected in Systems Management Server version 2.0 Service Pack 2. MORE INFORMATION ================ To install the hotfix, use the appropriate method on the Systems Management Server site server. Method 1: Using the Hotfix Installer ------------------------------------ NOTE: You can only use this method on I386-based computers. 1. Copy the hotfix folder structure to a share on your network. Q241734.exe is a Microsoft Windows Installer file that updates specific files on your site server. 2. Log on to your site server using an account with administrative privileges. 3. On the site server, close the Systems Management Server Administrator console. 4. Run Q240155.exe and follow the directions in the wizard. You can run the file in Quiet mode using the /s switch. Method 2: Manual Installation ----------------------------- 1. Stop the Systems Management Server Site Component Manager, Systems Management Server Executive, and Windows Management services on the site server. 2. Replace the Baseutil.dll file in the \bin\ folder with the version obtained from the hotfix. 3. Restart the Systems Management Server Site Component Manager, Systems Management Server Executive, and Windows Management services. Additional query words: prodsms global group permission ====================================================================== Keywords : kbSecurity kbsms200 kbsms200bug kbsmsAdmin kbsms200sp2fix Technology : kbSMSSearch kbSMS200 Version : winnt:2.0 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.