Microsoft KB Archive/327512

= Cannot Selectively Turn Off Extended Rights on Users =

PSS ID Number: 327512

Article Last Modified on 12/18/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Server SP2
 * Microsoft Windows 2000 Advanced Server SP1
 * Microsoft Windows 2000 Advanced Server SP2

-



This article was previously published under Q327512



SYMPTOMS
There are three places to edit rights in the Advanced view of Security Editor:
 * In Schema Manager for the schema object for a user.
 * On a container when the Access Control Entry (ACE) only applies to users.
 * On individual user objects.

For objects and containers, you can get to the Advanced Rights dialog box by using the Active Directory User and Computers Administrative Console snap-in or the ADSI Editor snap-in (that is included with the Support Tools package).

When you try to revoke only one or some of the following rights for users who are covered in the All Extended Rights permission, all of the following rights are revoked:
 * Change Password
 * Receive As
 * Reset Password
 * Send As

For example, when you click the Security tab, click the Advanced button, click an entry that you want to modify, and then click to clear one of the rights check boxes, you may notice that the All Extended Rights check box is cleared also. When you click OK, and then return to the Advanced Rights dialog box, all of the check boxes are cleared.

When All Extended Rights is the only set of flags that is selected for the ACE, the first right that was selected when you previously left the Advanced Rights dialog box stays selected. For example, when you click to clear the Send As check box, the Change Password check box stays selected.



CAUSE
This behavior occurs because there are too many different rights on users (and several other object types) to represent them in the existing 32-bit flag field. Therefore, many of the non-standard rights are represented by using Globally Unique Identifiers (GUIDs). If you use them individually, you must use the individual flags with their GUID. You can use only one of the flags for each ACE.



RESOLUTION
To revoke one of the rights listed in the &quot;Symptoms&quot; section of this article, you must add individual ACEs for the remaining rights. You can use Access Control List (ACL) Editor to add individual ACEs for the remaining rights. The following example uses the &quot;Send As&quot; right:
 * 1) Open the properties of the object for which you want to edit user-style rights, click the Security tab, and then click the Advanced button.
 * 2) Double-click the ACE for the account from which you want to revoke &quot;Send As&quot; rights.
 * 3) Select the entry of the user you want to change, click Edit, click to clear the All Extended Rights check box, and then click OK.
 * 4) Create a new ACE, click to select only the All Extended Rights check box, and then click OK.
 * 5) Edit the entry, click to clear the Send As check box, and then click OK.

ACL editor adds three ACEs to the list, one for each of the remaining extended rights.

To remove more than one flag, you can either remove more rights at step 2, or you can delete some of the new ACEs that you created at step 4.

You may have similar behavior for ACEs that involve rights on other collections such as All Validated Writes, Create/Delete All Child Objects, and Read/Write All Properties because the ACE structure has the same GUID requirement.



STATUS
This behavior is by design.

Keywords: kbenv kbfix kbprb KB327512

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP1 kbWin2000AdvServSP2 kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP1 kbwin2000ServSP2 kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.