Microsoft KB Archive/266712

= SMS: Security Based on Global Groups Fails in Windows 2000 Domains =

Article ID: 266712

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Systems Management Server 2.0 Standard Edition
 * Microsoft Systems Management Server 2.0 Service Pack 1
 * Microsoft Systems Management Server 2.0 Service Pack 2
 * Microsoft Systems Management Server 2.0 Service Pack 3

-



This article was previously published under Q266712



SYMPTOMS
After granting Windows 2000 global groups permission within the Systems Management Server Administrator console, users of these groups may not inherit class or instance rights that are defined for the group. Users will be able to connect, and see the various nodes (such as collections), but will not be able to view any objects (such as All Systems).

At the same time, users who are explicitly defined within Systems Management Server security, who do not rely on groups for access, inherit permissions as expected.

NOTE: This may occur in either Windows 2000 Mixed, or Native Mode domains.

NOTE: No errors are being generated, not even in the SMSProv log.



CAUSE
The problem occurs when the SMS Provider uses an anonymous connection to retrieve the logged user's group membership from the PDC emulator.

There are currently three known scenarios in which this problem occurs:  The Everyone group is not a member of the Pre-Windows 2000 Compatible Access group. This could be caused if the &quot;Permissions compatible with only Windows 2000 Servers&quot; is selected during the Dcpromo process described in the following article in the Microsoft Knowledge Base:

257988 Description of Dcpromo Permissions Choices

 The Default Domain Policy under Computer Configuration|Windows Settings|Local Policies|Security Options|Additional restrictions for anonymous connections is configured to &quot;No access without explicit anonymous permissions&quot;. The Pre-Windows 2000 Compatible Access group does not have the requisite directory access permissions.



WORKAROUND
To resolve this problem, obtain the latest service pack for Systems Management Server version 2.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

288239 SMS: How to Obtain the Latest Systems Management Server 2.0 Service Pack



MORE INFORMATION
The Systems Management Server Provider makes an anonymous connection to a domain controller in the domain to determine a users group membership. By default, Windows 2000 permits all authenticated users and members of the Pre-Windows 2000 Compatible Access group to view group membership. Because the Everyone group is a member of the Pre-Windows 2000 Compatible Access group by default, anonymous access can be used to retrieve group membership.

Additional query words: prodsms

Keywords: kbqfe kbhotfixserver kbbug kbfix kbprb kbsms200presp4fix KB266712

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.