Microsoft KB Archive/244616

= PRB: Replicating ACLs with Extended Attributes Using Content Deployment in Active Directory Environment =

Article ID: 244616

Article Last Modified on 5/18/2000

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q244616



This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location from which you downloaded the release.



SYMPTOMS
One of the following two symptoms may occur, depending on the different domain environments:  If two servers are a member of Windows NT 4.0-style domains, you receive the following error message when you try to view the ACL on a computer running Windows NT 4.0:

The security information for %path% is not standard and cannot be displayed. Windows NT 3.x and 4.x support certain features such as DenyAccess Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.

Do you want to overwrite the current security information?

 If neither computer is a member of an Active Directory domain, ACL replications between Windows NT 4.0 and Windows 2000 may fail with the following error in the Windows NT Application event log:

15179: Could not set ACLs appropriately on file %path%, setting default ACLs on this file.

On the destination, the ACL has been set to Administrators/Full Control.



CAUSE
When Content Deployment is unable to resolve a user name with a No Access attribute, it sets the Default ACL of Administrator/Full Control. This is to avoid a possible security violation in the event that an unresolved user with a Deny Access ACE is a member of a resolved group with access.

Windows 2000 offers a new, more granular level of Access Control Entries than those available in Windows NT 4.0. In a Windows NT 4.0 domain, the ACL replication completes without error. In an Active Directory-enabled domain, Windows NT 4.0 is unable to resolve these new attributes. Therefore, it takes the safest route and assumes they are No Access ACEs.



RESOLUTION
Windows NT 4.0 Service Pack 4 (SP4) offers a new Security Configuration Manager (SCM) that enables the extended attributes on computers running Windows NT 4.0. Install the SCM on all computers running Windows NT 4.0 in route to any computer that is using extended attributes. The SCM is a separate install that must be run in addition to the SP4 Update.exe program.



MORE INFORMATION
For additional information on Windows NT 4.0 Service Pack 4 (SP4), click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

