Search Fails to Include Domain Global Group ACLs Correctly (225073)
The information in this article applies to:
- Microsoft Site Server 3.0
This article was previously published under Q225073 SYMPTOMS
When you configure Site Server Search to crawl files on a remote file server, where you have applied NTFS ACL permissions so that the stand-alone server's local group contains domain global groups, the results set that is returned to the domain user does not include these files, even though the domain user can successfully access the files through network shares.
CAUSE
Site Server Search records the ACLs of the files that it crawls and stores them locally in drive/Microsoft Site Server/Data/Search/Projects/catalogname/search/index
When a user queries this catalog, Search compares that user's access token SID against the ACLs allowed to access the file. If the permissions match, the file is displayed to the user in the results set.
Because the Search server checks ACLs against the groups that it has access to (for example, its own local groups or domain groups), it is unable to confirm a user's access rights by virtue of their domain group's membership in the remote computer's local group. Therefore, the results are not displayed.
WORKAROUND
To work around this problem, assign permissions to files using domain groups, rather than local groups. To do this, use the information specified in the Site Server 3.0 Search online documentation.
Modification Type: | Major | Last Reviewed: | 4/10/1999 |
---|
Keywords: | kbprb KB225073 |
---|
|