Microsoft KB Archive/812876

= Clusters That Are Upgraded from Windows NT 4.0 Do Not Contain the System SID in the Security Descriptor =

Article ID: 812876

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition

-



SYMPTOMS
When you upgrade a Microsoft Windows NT 4.0-based cluster server to Windows Server 2003, or when you upgrade a Windows NT 4.0-based cluster server to a Windows 2000-based cluster server and then to Windows Server 2003, the SYSTEM security identifier (SID) is not added to the security descriptor of the cluster.



WORKAROUND
To work around this issue, assign the SYSTEM account Full Control permissions to the cluster. To do so, follow these steps:
 * 1) Start the Cluster Administrator utility, and then connect to the cluster that you want to add the SYSTEM account to.
 * 2) In the left pane, click the cluster that you want to add the SYSTEM account to.
 * 3) On the File menu, click Properties.
 * 4) Click the Security tab, and then click Add.
 * 5) Type system in the Enter the object names to select (examples) box, click Check Names, and then click OK.
 * 6) Click SYSTEM in the Group or user names box, click to select the Full Control check box under Allow, and then click OK.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
The security descriptor of a cluster is a data structure that contains security information associated with that cluster. Security descriptors include information about who owns the object, who can access the object and in what way, and what types of access are audited. To work correctly, some cluster-aware programs or services may require that the Cluster security descriptor contain the SYSTEM SID. Additionally, when you try to use the Cluster Administrator utility to set security permissions on a cluster, you cannot do so unless the SYSTEM account is added to the cluster with Full Control permissions.

Additional query words: privileges rights access denied block

Keywords: kbpending kbbug KB812876

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.