You receive a "The security information for [path] is not standard and cannot be displayed" error message when you view ACL in Windows NT 4.0 after you upgrade to Windows Server 2003 or Small Business Server 2003 (322917)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows NT 4.0
This article was previously published under Q322917

SYMPTOMS

After you use Active Directory Migration Tool version 2 (ADMTv2) to perform security translation, you may receive the following error message when you use Microsoft Windows NT 4.0 to view or edit the access control lists (ACLs) of the translated object:
The security information for [path] is not standard and cannot be displayed. Windows NT 3.x and 4.x support certain features such as Deny Access Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.
Do you want to overwrite the current security information?
Note that even when this problem occurs, security is still correctly processed and proper access controls are maintained. This problem only occurs when you are using Security Translation in ADD mode.

CAUSE

This problem may occur if you use a beta version of ADMTv2. If you do so, the translated security descriptor may be written in a format that cannot be read by computers that are running a version of Windows that is earlier than Microsoft Windows 2000.

RESOLUTION

This problem was resolved in ADMTv2 build 3624 lab03.

WORKAROUND

To work around this behavior, use REPLACE rather than ADD when you perform security translation.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The problem occurs because ADMT does not copy the inheritable access control entry (ACE) . In affected builds, TSecurableObject::ResolveACL uses the following code: 
if (EqualSid(otherAce.GetSid(), oldAce.GetSid()))
{
bOkToAdd = FALSE;
break;
}
This code prevents the second ACE with the same security identifier (SID) from being copied. As a result, the logic is changed to the following code: 
// check ACE type, flag, mask and sid parts
// note: ignore the ace size part because it is not determining factor
if (EqualSid(otherAce.GetSid(), oldAce.GetSid()) && otherAce.GetType() == oldAce.GetType()
&& otherAce.GetFlags() == oldAce.GetFlags() && otherAce.GetMask() == oldAce.GetMask())
{
bOkToAdd = FALSE;
break;
}
Modification Type:MajorLast Reviewed:11/10/2004
Keywords:kbbug KB322917
©2004 Microsoft Corporation. All rights reserved.