Security Setting Dialog Box Does Not Display Some Security Groups (284776)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q284776

SUMMARY

Domain Local groups are not listed on an Active Directory Integrated ISA server when you try to perform either of the following actions:
  • You try to configure a Protocol rule or a Site and Content rule, and then apply this rule to specified groups and users.

    -or-
  • You try to set permissions on objects.
You can add only Domain Global groups in these situations.

Note: If you use ADSIEdit, you may be able to see Domain Local groups.

MORE INFORMATION

By default, the ADSIEdit and Active Directory Users and Computers connect to the domain controller of the domain to which the currently logged-on user belongs. However, ISA Server connects to the domain controller of the domain to which the current computer belongs.

Using the information provided below, note that it is not possible to see the domain local groups from any domain other than the one you are currently connected to.

You can see the Domain Local Groups of the parent domain when you are connected to the configuration container through the parent domain domain controller and the ISA snap-in is connected to domain controller of the child domain.

Note: You can view the parent local domain group name from its Security Identifier (SID). Therefore you can see the correct domain group name in the Security dialog box in the ISA snap-in and in ADSIEdit.exe.

Properties and Capabilities of Various Groups in Windows 2000

Universal Group (Native mode only)

Can include:
  • Principals from any domain in the forest.
  • Other universal groups from any domain in the forest.
  • Global groups from any domain in the forest.
Visible from:
  • All the computers that are in the forest.
Replication:
  • Group Name, SID and members name are all replicated through the global catalog.

Global Group

Can include:
  • Principals from the same domain
  • other global groups from the same domain (Native mode only)
Visible from:
  • Group name is visible from all the computers that are in the forest
  • Members are not visible from all the computers that are in the forest
Replication:
  • Group name and SID are replicated through GC
  • Member information is not replicated.

Domain Local

Can include:
  • Principals from any domain in the forest
  • Global groups from any domain in the forest
  • Universal groups from any domain in the forest
  • Other domain local groups from the same domain (Native mode only)
Visible from::
  • All the computers that are in the domain.
  • Not visible from the computers that belong to another domain.
Replication:
  • No Replication
Modification Type:MajorLast Reviewed:12/24/2002
Keywords:kbinfo KB284776
©2002 Microsoft Corporation. All rights reserved.