Microsoft KB Archive/936925

= You cannot add a domain local group as a group in the policy condition on a Windows Server 2003-based computer that is running the IAS service =

Article ID: 936925

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition

-



SYMPTOMS
When you add a Windows-Groups attribute as a policy condition of a remote access policy, you cannot add a domain local group as a group in the policy condition. This behavior occurs on a Microsoft Windows Server 2003-based computer that is running the Internet Authentication Service (IAS) service. In this situation, no domain local groups appear in the Search results list when you try to configure the policy condition. You experience this behavior even though you verify that a domain local group exists in Active Directory directory service.



CAUSE
This behavior occurs because the IAS service does not support using a domain local group as a remote access policy condition. This is true because the security ID (SID) of a domain local group is not unique throughout the forest.

Note On a Microsoft Windows Code Name &quot;Longhorn&quot;-based computer that is running Network Policy Server, you can select a domain local group as a condition in a network policy.



WORKAROUND
To work around this behavior, follow these steps.

Note Follow these steps if the IAS server is a member server.
 * 1) Create a local group in the security accounts manager (SAM) database.
 * 2) Configure the domain local group as a member of the local group on the member server.
 * 3) Configure the local group as a condition of the remote access policy.



Steps to reproduce the behavior

 * 1) On a domain controller, create a domain local group. Name this group &quot;DomainLocal-1.&quot;
 * 2) Start the IAS Microsoft Management Console (MMC) snap-in on an IAS server that is joined to a domain, and then click Remote Access Policies.
 * 3) In the details pane, right-click a remote access policy, and then click Properties.
 * 4) Click Add.
 * 5) In the Select Attribute dialog box, click Windows-Groups, and then click Add.
 * 6) In the Groups dialog box, click Add.
 * 7) Click Advanced, and then click Find Now.

Notice that DomainLocal-1 does not appear in the Search results list.

