Removing a User from a Domain Local Group May Not Be Audited (316733)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q316733 SYMPTOMS
If you remove a user from a different domain (in the same forest) from a domain local group, and if the domain controller on which you perform the removal operation is not a global catalog, the event is audited by Security Accounts Manager (SAM).
Note that SAM auditing must be turned on. For example, the audit policy on the domain controller must include the "Audit Account Management" policy. This is not the same as the "Audit Directory Service Access" policy, which audits the fact that the group object has been modified.
CAUSE
On domain controllers that are not global catalogs, references to users from other domains are stored by using phantoms. For example, if you add a user from another domain to a group, a phantom is created to represent the user so that the membership attribute can link to it in the local database (DIT).
If you are auditing removal from a group, SAM requires information about the user who is being removed. A phantom contains all of the information that is required for the audit (it contains the SID, GUID, and DN), but SAM does not use this information, or permit a network call to be placed to obtain the information from a global catalog.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
-----------------------------------------------------------
28-Jan-2002 10:59 5.0.2195.4685 123,664 Adsldp.dll
28-Jan-2002 10:59 5.0.2195.4851 130,832 Adsldpc.dll
28-Jan-2002 10:59 5.0.2195.4016 62,736 Adsmsext.dll
28-Jan-2002 10:59 5.0.2195.4873 356,112 Advapi32.dll
28-Jan-2002 10:59 5.0.2195.4797 41,744 Basesrv.dll
28-Jan-2002 10:59 5.0.2195.4874 135,440 Dnsapi.dll
28-Jan-2002 10:59 5.0.2195.4874 95,504 Dnsrslvr.dll
28-Jan-2002 11:06 5.0.2195.4848 521,488 Instlsa5.dll
28-Jan-2002 10:59 5.0.2195.4630 145,680 Kdcsvc.dll
26-Nov-2001 16:33 5.0.2195.4680 199,440 Kerberos.dll
28-Jan-2002 10:59 5.0.2195.4829 708,880 Kernel32.dll
04-Sep-2001 08:32 5.0.2195.4276 71,024 Ksecdd.sys
16-Jan-2002 15:02 5.0.2195.4848 503,568 Lsasrv.dll
16-Jan-2002 15:02 5.0.2195.4848 33,552 Lsass.exe
07-Dec-2001 16:05 5.0.2195.4745 107,280 Msv1_0.dll
28-Jan-2002 10:59 5.0.2195.4874 306,960 Netapi32.dll
28-Jan-2002 10:59 5.0.2195.4874 359,184 Netlogon.dll
28-Jan-2002 10:59 5.0.2195.4797 476,432 Ntdll.dll
28-Jan-2002 10:59 5.0.2195.4879 916,240 Ntdsa.dll
22-Jan-2002 19:22 5.0.2195.4864 1,688,192 Ntkrnlmp.exe
22-Jan-2002 19:25 5.0.2195.4864 1,687,744 Ntkrnlpa.exe
22-Jan-2002 19:26 5.0.2195.4864 1,708,480 Ntkrpamp.exe
22-Jan-2002 19:22 5.0.2195.4864 1,665,856 Ntoskrnl.exe
28-Jan-2002 10:59 5.0.2195.4847 388,368 Samsrv.dll
28-Jan-2002 10:59 5.0.2195.4874 128,784 Scecli.dll
28-Jan-2002 10:59 5.0.2195.4878 299,792 Scesrv.dll
28-Jan-2002 10:59 5.0.2195.4600 48,400 W32time.dll
06-Nov-2001 11:43 5.0.2195.4600 56,592 W32tm.exe
28-Jan-2002 10:59 5.0.2195.4871 125,712 Wldap32.dll
16-Jan-2002 15:02 5.0.2195.4848 503,568 Lsasrv.dll
28-Jan-2002 11:04 5.0.2195.4829 708,880 Kernel32.dll
28-Jan-2002 11:07 5.0.2195.4797 476,432 Ntdll.dll
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
| Modification Type: | Minor | Last Reviewed: | 9/27/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB316733 |
|---|
|