Search Fails to Include Domain Global Group ACLs Correctly

ID: Q225073


The information in this article applies to:


SYMPTOMS

When you configure Site Server Search to crawl files on a remote file server, where you have applied NTFS ACL permissions so that the stand-alone server's local group contains domain global groups, the results set that is returned to the domain user does not include these files, even though the domain user can successfully access the files through network shares.


CAUSE

Site Server Search records the ACLs of the files that it crawls and stores them locally in drive/Microsoft Site Server/Data/Search/Projects/catalogname/search/index

When a user queries this catalog, Search compares that user's access token SID against the ACLs allowed to access the file. If the permissions match, the file is displayed to the user in the results set.

Because the Search server checks ACLs against the groups that it has access to (for example, its own local groups or domain groups), it is unable to confirm a user's access rights by virtue of their domain group's membership in the remote computer's local group. Therefore, the results are not displayed.


WORKAROUND

To work around this problem, assign permissions to files using domain groups, rather than local groups. To do this, use the information specified in the Site Server 3.0 Search online documentation.

Additional query words:


Keywords          : 
Version           : winnt:3.0
Platform          : winnt 
Issue type        : kbprb 

Last Reviewed: April 8, 1999