CRS Replicates ACEs of Deleted Accounts During ACL Replication

Last reviewed: February 3, 1998
Article ID: Q164802
The information in this article applies to:
  • Microsoft Commercial Internet System, version 1.0

SYMPTOMS

If an account that is granted permissions on a file is deleted, the corresponding SID is marked as "deleted" in the Windows NT security accounts manager (SAM). However, even though the permissions will not show up for that account in File Manager or Windows Explorer, that same SID still exists in the ACL of the file. The SID will continue to exist in the ACL until any permissions are modified on the file. When this ACL is replicated, content replication server (CRS) will treat the access control entry (ACE) like any other and will attempt to find a valid SID for the ACE at the target computer. If you use the SAM of the deleted account when assigning a valid SID, there is no problem. However, if the file is replicated to a computer running Windows NT Workstation or non-trusted domain, the SID for a local account of the same name may still get assigned to the ACL. In addition, if the ACE is an access denied ACE, all the ACEs in the ACL will be stripped, and the Administrator will be given full control. This is expected behavior for any access denied ACEs that cannot find a valid SID on the destination computer.

RESOLUTION

The Winsock function controlling this has been corrected in the smail.dll file. To fix, install MCIS 1.0 Service Pack 1, which will update the smail.dll file. Now, CRS strips the SIDs of deleted accounts from the ACL at the source, before replicating the ACL.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Commercial Internet System, version 1.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

Version           : 1.0
Platform          : WINDOWS
Issue type        : kbbug


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 3, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.