With IgnoreDomain=1 Option, ACL Can Be Matched to Wrong Account (181812)
The information in this article applies to:
- Microsoft Commercial Internet System 1.0
- Microsoft Site Server 2.0
This article was previously published under Q181812 SYMPTOMS
If you use the IgnoreDomain=1 option, and the same account name exists in
multiple domains, the access control lists (ACLs) can be matched to the
wrong account. If you use the Ignore=0 option, all user-created local
accounts are lost. These are the built in accounts: Administrators, Backup
Operators, Everyone, Guests, Interactive, Network, Power Users,
Replicator, Users. The Authenticated Users account, which was added in
Windows NT 4.0 SP3, is treated as if it is a local account. Thus, it is
dropped when IgnoreDomain=0. These are the built-in (system) local groups:
Administrators, Backup Operators, Guests, Power Users, Replicator, Users.
CAUSE
The Content Replication System (CRS) maps ACL entries in one of two ways,
according to the IgnoreDomain flag:
IgnoreDomain=1
Well-known accounts, built-in local groups, and user-created accounts are
correctly mapped to the SID of the account on the end-point computer.
Domain accounts are mapped to the first domain that has that account. The
LookupAccountName request is passed to remote domains if the local domain
does not match the SID of the account. Accounts that are not matched are
dropped.
IgnoreDomain=0 on Target and Source
Well-known accounts and built-in local groups are correctly mapped to the
SID of the well-known account on the end-point computer. User-created
local accounts are dropped. Domain accounts are exactly mapped to preserve
the domain name. The LookupAccountName request will only return a SID if
the account exists in that domain. Accounts that are not matched are
dropped.
WORKAROUND
To work around this problem, assign local accounts to files and folders
only when IgnoreDomain=1, or assign domain accounts only when
IgnoreDomain=0.
RESOLUTION
If this behavior is a serious problem, then apply the fix described below.
The new algorithm for IgnoreDomain=0 in the fix is to strip the domain
name if it is equal to the machine name. This will cause local accounts on
the start-point server to map to local accounts on the end-point server.
If the account does not map to a local account, then it will be dropped.
STATUS
Microsoft has confirmed this to be a problem in Microsoft Commercial
Internet System, version 1.0 SP1 and Microsoft Site Server 2.0 SP1.
A supported fix is now available, but it has not been fully regression-
tested and should be applied only to systems experiencing this specific
problem. Unless you are severely impacted by this specific problem,
Microsoft recommends that you wait for the next Service Pack that contains
this fix. Contact Microsoft Technical Support for more information.
Modification Type: | Major | Last Reviewed: | 10/24/2003 |
---|
Keywords: | kbbug kbpending kbQFE KB181812 |
---|
|