Microsoft KB Archive/289743

= ACL Editor Applies Different Permissions from Security Configuration Editor =

Article ID: 289743

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q289743



SYMPTOMS
When you use ACL Editor to set the security on an object, it inherently sets the Synchronize permission as part of every access control entry (ACE). However, when you use Security Configuration Editor (SCE) to set security, the resultant security does not set the Synchronize bit in every ACE even if you select the same permissions in the same ACL Editor.



CAUSE
This behavior occurs because the security descriptor string that is saved in Group Policy does not have the SYNCHRONIZE bit set when special access is defined. ACL Editor has this bit hard-coded with special access, but the bit is lost during Security Descriptor Definition Language (SDDL) conversion before being saved to the template.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:   Date       Time   Version   Size     File name 3/21/2001 07:02p  1.0.0.1  542,480  Wsecedit.dll NOTE: Apply this fix to the computers from which the policy is being modified. For example, if you are editing Group Policy from a Windows 2000 Professional workstation with the Administration Tools installed, you need to apply the fix to that workstation. Existing policies that behave as described in the &quot;Symptoms&quot; section of this article must be re-edited to write the correct information to the policy object.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords: kbhotfixserver kbqfe kbbug kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB289743

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.