With IgnoreDomain=1 Option, ACL Can Be Matched to Wrong AccountID: Q181812
|
If you use the IgnoreDomain=1 option, and the same account name exists in multiple domains, the access control lists (ACLs) can be matched to the wrong account. If you use the Ignore=0 option, all user-created local accounts are lost. These are the built in accounts: Administrators, Backup Operators, Everyone, Guests, Interactive, Network, Power Users, Replicator, Users. The Authenticated Users account, which was added in Windows NT 4.0 SP3, is treated as if it is a local account. Thus, it is dropped when IgnoreDomain=0. These are the built-in (system) local groups: Administrators, Backup Operators, Guests, Power Users, Replicator, Users.
The Content Replication System (CRS) maps ACL entries in one of two ways,
according to the IgnoreDomain flag:
IgnoreDomain=1
Well-known accounts, built-in local groups, and user-created accounts are
correctly mapped to the SID of the account on the end-point computer.
Domain accounts are mapped to the first domain that has that account. The
LookupAccountName request is passed to remote domains if the local domain
does not match the SID of the account. Accounts that are not matched are
dropped.
IgnoreDomain=0 on Target and Source
Well-known accounts and built-in local groups are correctly mapped to the
SID of the well-known account on the end-point computer. User-created
local accounts are dropped. Domain accounts are exactly mapped to preserve
the domain name. The LookupAccountName request will only return a SID if
the account exists in that domain. Accounts that are not matched are
dropped.
To work around this problem, assign local accounts to files and folders only when IgnoreDomain=1, or assign domain accounts only when IgnoreDomain=0.
If this behavior is a serious problem, then apply the fix described below. The new algorithm for IgnoreDomain=0 in the fix is to strip the domain name if it is equal to the machine name. This will cause local accounts on the start-point server to map to local accounts on the end-point server. If the account does not map to a local account, then it will be dropped.
Microsoft has confirmed this to be a problem in Microsoft Commercial
Internet System, version 1.0 SP1 and Microsoft Site Server 2.0 SP1.
A supported fix is now available, but it has not been fully regression-
tested and should be applied only to systems experiencing this specific
problem. Unless you are severely impacted by this specific problem,
Microsoft recommends that you wait for the next Service Pack that contains
this fix. Contact Microsoft Technical Support for more information.
Keywords :
Version : winnt:1.0,2.0
Platform : winnt
Issue type : kbbug Last Reviewed: June 30, 1999