DOCUMENT:Q266712 09-MAY-2002 [sms] TITLE :SMS: Security Based on Global Groups Fails in Win 2000 Domains PRODUCT :Microsoft Systems Management Server PROD/VER::2.0,2.0 SP1,2.0 SP2,2.0 SP3 OPER/SYS: KEYWORDS:kbsms200 kbsms120 kbsms120bug kbsms200preSP4fix ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server versions 2.0, 2.0 SP1, 2.0 SP2, 2.0 SP3 ------------------------------------------------------------------------------- SYMPTOMS ======== After granting Windows 2000 global groups permission within the Systems Management Server Administrator console, users of these groups may not inherit class or instance rights that are defined for the group. Users will be able to connect, and see the various nodes (such as collections), but will not be able to view any objects (such as All Systems). At the same time, users who are explicitly defined within Systems Management Server security, who do not rely on groups for access, inherit permissions as expected. NOTE: This may occur in either Windows 2000 Mixed, or Native Mode domains. NOTE: No errors are being generated, not even in the SMSProv log. CAUSE ===== The problem occurs when the SMS Provider uses an anonymous connection to retrieve the logged user's group membership from the PDC emulator. There are currently three known scenarios in which this problem occurs: - The Everyone group is not a member of the Pre-Windows 2000 Compatible Access group. This could be caused if the "Permissions compatible with only Windows 2000 Servers" is selected during the Dcpromo process described in the following article in the Microsoft Knowledge Base: Q257988 Description of Dcpromo Permissions Choices - The Default Domain Policy under Computer Configuration|Windows Settings|Local Policies|Security Options|Additional restrictions for anonymous connections is configured to "No access without explicit anonymous permissions". - The Pre-Windows 2000 Compatible Access group does not have the requisite directory access permissions. WORKAROUND ========== To resolve this problem, obtain the latest service pack for Systems Management Server version 2.0. For additional information, please see the following article in the Microsoft Knowledge Base: Q288239 SMS: How to Obtain the Latest Systems Management Server 2.0 Service Pack MORE INFORMATION ================ The Systems Management Server Provider makes an anonymous connection to a domain controller in the domain to determine a users group membership. By default, Windows 2000 permits all authenticated users and members of the Pre-Windows 2000 Compatible Access group to view group membership. Because the Everyone group is a member of the Pre-Windows 2000 Compatible Access group by default, anonymous access can be used to retrieve group membership. Additional query words: prodsms ====================================================================== Keywords : kbsms200 kbsms120 kbsms120bug kbsms200preSP4fix Technology : kbSMSSearch kbSMS200 kbSMS200SP1 kbSMS200SP2 kbSMS200SP3 Version : :2.0,2.0 SP1,2.0 SP2,2.0 SP3 Issue type : kbprb Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.