FrontPage Server Extensions and SharePoint Team Services cannot add local groups to roles (321442)


The information in this article applies to:

  • FrontPage 2002 Server Extensions from Microsoft
  • SharePoint Team Services from Microsoft
This article was previously published under Q321442

SYMPTOMS

When you try to add a local group to a role by using the Microsoft FrontPage Server Extensions or SharePoint Team Services from Microsoft administration Web pages, you receive the following error message:
The group "computer name\group name" cannot be added to the role(s) "role name" since Windows does not allow local groups to be nested.

CAUSE

FrontPage Server Extensions and SharePoint Team Services create local groups for each role defined on a web. When you add users or groups to a role, the administration tools try to add all accounts to these local groups. Because Windows does not allow local groups to be nested, you receive the error message when you try to add a local group to a role.

WORKAROUND

To work around this issue, use either of the following methods:
  • Add only user accounts, system groups, or domain groups to FrontPage or SharePoint Team Services roles.

    Note If the server that is using the FrontPage Server Extensions or SharePoint Team Services is a Domain Controller, you will see the same error message that is listed in the "Symptoms" section of this article if you try to add a domain group to a role.
  • Disable the creation of local groups by the Server Extensions. To do this, follow these steps:
    1. Click Start, and then click Run. In the Open box, type regedit.exe, and then press ENTER.
    2. In Registry Editor, locate and select the following subkey (folder):

      HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports

    3. On the Edit menu, point to New, and then click String Value.
    4. Type NoMachineGroups and then press ENTER to name the value.
    5. Double-click the new value to edit it.
    6. In the Value data box, type 1, and then click OK.
    7. Quit Registry Editor.
By setting this value, you configure user accounts and groups to be written directly to the Access Control List (ACL) of NTFS file system permissions, instead of the local groups.

MORE INFORMATION

FrontPage Server Extensions and SharePoint Team Services create local groups with names that are similar to the following
  • OWS_NUMBER_admin
  • OWS_NUMBER_advauthor
  • OWS_NUMBER_author
  • OWS_NUMBER_browser
  • OWS_NUMBER_collab
where NUMBER is a unique identifier that is automatically generated from the name of the of the Web site. These local groups store the user accounts for the different roles that are available in FrontPage or SharePoint Team Services.
Modification Type:MinorLast Reviewed:10/5/2004
Keywords:kbWebServices kberrmsg kbprb KB321442
©2004 Microsoft Corporation. All rights reserved.