Microsoft KB Archive/222523

= Resource Access Issues in Windows NT 3.51 in Windows 2000 Domain =

Article ID: 222523

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 3.51

-



This article was previously published under Q222523



SYMPTOMS
Access to server resources protected by Universal groups is denied or allowed when the opposite should occur.



CAUSE
Windows 2000 includes two new capabilities that are not supported by Windows NT 3.51 workstations and servers:
 * Universal groups
 * Domain consolidation by moving accounts between domains



RESOLUTION
To avoid these problem cases, upgrade your Windows NT 3.51 workstations and servers to at least Windows NT 4.0.



STATUS
Microsoft has confirmed that this is a problem in Windows 2000.



MORE INFORMATION
When a user is a member of a Universal group and logs onto a Windows NT 3.51 workstation and tries to access a network resource protected by an ACL entry (ACE) referencing that Universal group, the entry (which could be a GRANT or DENY ACE) will not be considered during the access check. Likewise, if a user's account or groups have been moved from another domain, and the user logs onto a Windows NT 3.51 workstation, the user may be improperly granted or denied access to network resources whose ACEs reference the old (pre-move) user or group accounts.

A similar situation occurs when a user whose account or groups have been moved, or who belongs to a Universal group, tries to access a Windows NT 3.51 server protected by ACEs referencing the old user or group accounts, or the Universal group. Because these ACEs are not considered during access checking, the user may be improperly granted or denied access to the Windows NT 3.51 server.

These inconsistencies result from the fact that Windows NT 3.51 access tokens do not support:
 * SIDs of Universal groups defined outside of the user's account domain
 * SIDhistories (that is, SIDs of former domain accounts) of users and groups that have been moved from another domain

A Windows NT 3.51 access token only contains SIDs from the user's account domain. SIDs from other domains, namely SIDs of Universal groups defined in other domains and moved account SIDhistories, do not appear in the token of a user logging onto a Windows NT 3.51 workstation. These omissions could result in unauthorized access to resources or denial of access.

Keywords: kbenv kbprb KB222523

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.