FIX: BUG: MTS Trusted Impersonators Group Name Is Too Long

ID: Q181775

The information in this article applies to:


Unexpected behavior may occur when you access Microsoft Transaction Server (MTS) components that have package security enabled from Internet Information Server 4.0 Active Server Pages on a backup domain controller (BDC) with the latest Windows NT QFE installed. Users who should have access may be denied access and users who do not have access may be allowed. In addition, the ISecurityProperty information can be incorrect.


When Microsoft Transaction Server (or Internet Information Server version 4.0) is installed on a BDC, a global group is created instead of a local group. The "MTS Trusted Impersonators" group name length (25 characters) exceeds the maximum length allowed for a global group name. The global group name has a 20 character limit, but the local group name can have up to 256 characters.


To work around this problem, perform the following the procedure:

1. Shut down the Internet Information Server (IIS) and/or the

   MTS Administrative console.

2. Open a command window.

3. At a command prompt, run "net stop iisadmin /y" to shut down the IIS


4. At a command prompt, run "net stop msdtc" to shut down the Microsoft
   Distributed Transaction Coordinator (DTC) service.

5. At a command prompt, run "mtxstop.exe" to stop all MTS server processes.

6. From the command prompt, run "usrmgr.exe" to start User Manager for


7. Delete the "MTS Trusted Impersonators" global group.

8. Create a new local group named "MTS Trusted Impersonators".

9. Add the IWAM_<MachineName> account to the local group.

10. Close User Manager for Domains.

11. At a command prompt, run "net start mstdc" to restart the DTC service.

12. At a command prompt, run "net start w3svc" to restart the IIS services.


Microsoft has confirmed this to be a problem in Microsoft Transaction Server version 2.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Keywords          : kbbug2.00 TSrvSecurity 
Version           : WinNT:2.0
Platform          : winnt
Issue type        : kbbug
Solution Type     : kbfix

Last Reviewed: March 5, 1998