Microsoft KB Archive/225073

= Search Fails to Include Domain Global Group ACLs Correctly =

Article ID: 225073

Article Last Modified on 4/10/1999

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q225073



SYMPTOMS
When you configure Site Server Search to crawl files on a remote file server, where you have applied NTFS ACL permissions so that the stand-alone server's local group contains domain global groups, the results set that is returned to the domain user does not include these files, even though the domain user can successfully access the files through network shares.



CAUSE
Site Server Search records the ACLs of the files that it crawls and stores them locally in drive/Microsoft Site Server/Data/Search/Projects/catalogname/search/index

When a user queries this catalog, Search compares that user's access token SID against the ACLs allowed to access the file. If the permissions match, the file is displayed to the user in the results set.

Because the Search server checks ACLs against the groups that it has access to (for example, its own local groups or domain groups), it is unable to confirm a user's access rights by virtue of their domain group's membership in the remote computer's local group. Therefore, the results are not displayed.



WORKAROUND
To work around this problem, assign permissions to files using domain groups, rather than local groups. To do this, use the information specified in the Site Server 3.0 Search online documentation.

Keywords: kbprb kbpending KB225073

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.