With IgnoreDomain=1 Option, ACL Can Be Matched to Wrong Account

ID: Q181812


The information in this article applies to:


SYMPTOMS

If you use the IgnoreDomain=1 option, and the same account name exists in multiple domains, the access control lists (ACLs) can be matched to the wrong account. If you use the Ignore=0 option, all user-created local accounts are lost. These are the built in accounts: Administrators, Backup Operators, Everyone, Guests, Interactive, Network, Power Users, Replicator, Users. The Authenticated Users account, which was added in Windows NT 4.0 SP3, is treated as if it is a local account. Thus, it is dropped when IgnoreDomain=0. These are the built-in (system) local groups: Administrators, Backup Operators, Guests, Power Users, Replicator, Users.


CAUSE

The Content Replication System (CRS) maps ACL entries in one of two ways, according to the IgnoreDomain flag:

IgnoreDomain=1 Well-known accounts, built-in local groups, and user-created accounts are correctly mapped to the SID of the account on the end-point computer. Domain accounts are mapped to the first domain that has that account. The LookupAccountName request is passed to remote domains if the local domain does not match the SID of the account. Accounts that are not matched are dropped.

IgnoreDomain=0 on Target and Source Well-known accounts and built-in local groups are correctly mapped to the SID of the well-known account on the end-point computer. User-created local accounts are dropped. Domain accounts are exactly mapped to preserve the domain name. The LookupAccountName request will only return a SID if the account exists in that domain. Accounts that are not matched are dropped.


WORKAROUND

To work around this problem, assign local accounts to files and folders only when IgnoreDomain=1, or assign domain accounts only when IgnoreDomain=0.


RESOLUTION

If this behavior is a serious problem, then apply the fix described below. The new algorithm for IgnoreDomain=0 in the fix is to strip the domain name if it is equal to the machine name. This will cause local accounts on the start-point server to map to local accounts on the end-point server. If the account does not map to a local account, then it will be dropped.


STATUS

Microsoft has confirmed this to be a problem in Microsoft Commercial Internet System, version 1.0 SP1 and Microsoft Site Server 2.0 SP1.

A supported fix is now available, but it has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.



Keywords          : 
Version           : winnt:1.0,2.0
Platform          : winnt 
Issue type        : kbbug 

Last Reviewed: June 30, 1999