Microsoft KB Archive/943875

= Authorization Manager in Windows Server 2003 cannot add roles from other domains in the forest after security update 926122 or Windows Server 2003 Service Pack 2 is installed =

Article ID: 943875

Article Last Modified on 11/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



SYMPTOMS
Consider the following scenario:  You have a Windows Server 2003 parent domain and a Windows Server 2003 child domain. Authorization Manager is installed on servers in the parent domain or on servers in the child domain. Security update 926122 or Windows Server 2003 Service Pack 2 is installed on the servers where Authorization Manager is installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

926122 MS07-039: Vulnerability in Windows Active Directory could allow remote code execution



In this scenario, you cannot add user accounts from one domain to a role that is in the Authorization Manager store of the other domain. Also, you cannot delete user accounts in one domain from a role that is in the Authorization Manager store of the other domain.

At this point, the operation appears to be successful in the user interface. However, after you close and then reopen Authorization Manager, the user interface presents the settings as they were before the operation.

Additionally, when you try to add new users to a user group by using their object globally unique identifiers (GUIDs), you receive the following Lightweight Directory Access Protocol (LDAP) error message:

DSA is unwilling to perform (53)



CAUSE
Authorization Manager cannot add a user security identifier (SID) that resides in another domain to a role. Also, Authorization Manager cannot delete a user SID that resides in another domain from a role.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement
You may have to restart the computer if the Azroles.dll file is being used.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 2, x64-based versions


WORKAROUND
To work around this problem, follow these steps:
 * 1) Create a local group in the domain where the Authorization Manager store resides.
 * 2) Add the user account from another domain to the local group.
 * 3) Assign the role to the local group.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional query words: AzMan

Keywords: kbexpertiseinter kbwinserv2003postsp2fix kbbug kbfix kbhotfixserver kbqfe KB943875

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.