An access control entry may seem to be displayed incorrectly with the sIDHistory attribute (307521)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q307521 SYMPTOMS
If you add an access control entry (ACE) to an access control list (ACL) for an object whose security identifier (SID) is in a sIDHistory attribute, the ACE may not be displayed as you expect.
CAUSE
When you migrate objects into a Windows 2000-based domain, you can use the sIDHistory atribute. If you use the sIDHistory attribute, the new objects in the Windows 2000-based domain can contain the SID of the migrated object from its originating domain. The sIDHistory attribute of the Windows 2000-based object contains the migrated SIDs.
If both the originating domain object and Windows 2000-based object are accessible, you may not be able to view an ACL on a Windows 2000-based domain resource as you expect. If an ACL is set on a Windows 2000-based domain object with an ACE that contains a SID that exists in both the current Active Directory-based domain (in sIDHistory) and in the originating domain (by a trust), the ACL displays the current Active Directory-based domain name for that object.
For example, if you migrate a user from a Microsoft Windows NT 4.0-based domain (NT4\User) to a Windows 2000-based domain (W2K\User), the Windows 2000-based user account contains both the Windows 2000-based SID and any SIDs that were migrated in the sIDHistory attribute. If a resource in the Windows 2000-based domain sets an ACE that contains "NT4\User," the name resolves to "W2K\User."
The ACE entry in the ACL does contains the "NT4\User" SID, but the display name is the "W2K\User" name.
STATUSThis behavior is by design.
| Modification Type: | Minor | Last Reviewed: | 7/20/2004 |
|---|
| Keywords: | kbenv kbprb KB307521 |
|---|
|