Microsoft KB Archive/322917

= You receive a &quot;The security information for [path] is not standard and cannot be displayed&quot; error message when you view ACL in Windows NT 4.0 after you upgrade to Windows Server 2003 or Small Business Server 2003 =

Article ID: 322917

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows NT 4.0

-



This article was previously published under Q322917



SYMPTOMS
After you use Active Directory Migration Tool version 2 (ADMTv2) to perform security translation, you may receive the following error message when you use Microsoft Windows NT 4.0 to view or edit the access control lists (ACLs) of the translated object:

The security information for [path] is not standard and cannot be displayed. Windows NT 3.x and 4.x support certain features such as Deny Access Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.

Do you want to overwrite the current security information?

Note that even when this problem occurs, security is still correctly processed and proper access controls are maintained. This problem only occurs when you are using Security Translation in ADD mode.



CAUSE
This problem may occur if you use a beta version of ADMTv2. If you do so, the translated security descriptor may be written in a format that cannot be read by computers that are running a version of Windows that is earlier than Microsoft Windows 2000.



RESOLUTION
This problem was resolved in ADMTv2 build 3624 lab03.



WORKAROUND
To work around this behavior, use REPLACE rather than ADD when you perform security translation.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
The problem occurs because ADMT does not copy the inheritable access control entry (ACE). In affected builds, TSecurableObject::ResolveACL uses the following code: if (EqualSid(otherAce.GetSid, oldAce.GetSid)) { bOkToAdd = FALSE; break; } This code prevents the second ACE with the same security identifier (SID) from being copied. As a result, the logic is changed to the following code: // check ACE type, flag, mask and sid parts // note: ignore the ace size part because it is not determining factor if (EqualSid(otherAce.GetSid, oldAce.GetSid) && otherAce.GetType == oldAce.GetType && otherAce.GetFlags == oldAce.GetFlags && otherAce.GetMask == oldAce.GetMask) { bOkToAdd = FALSE; break; }

Keywords: kbbug KB322917

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.