Microsoft KB Archive/322917

From BetaArchive Wiki
Knowledge Base


You receive a "The security information for [path] is not standard and cannot be displayed" error message when you view ACL in Windows NT 4.0 after you upgrade to Windows Server 2003 or Small Business Server 2003

Article ID: 322917

Article Last Modified on 12/3/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows NT 4.0


This article was previously published under Q322917

SYMPTOMS

After you use Active Directory Migration Tool version 2 (ADMTv2) to perform security translation, you may receive the following error message when you use Microsoft Windows NT 4.0 to view or edit the access control lists (ACLs) of the translated object:

The security information for [path] is not standard and cannot be displayed. Windows NT 3.x and 4.x support certain features such as Deny Access Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.
Do you want to overwrite the current security information?

Note that even when this problem occurs, security is still correctly processed and proper access controls are maintained. This problem only occurs when you are using Security Translation in ADD mode.

CAUSE

This problem may occur if you use a beta version of ADMTv2. If you do so, the translated security descriptor may be written in a format that cannot be read by computers that are running a version of Windows that is earlier than Microsoft Windows 2000.

RESOLUTION

This problem was resolved in ADMTv2 build 3624 lab03.

WORKAROUND

To work around this behavior, use REPLACE rather than ADD when you perform security translation.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The problem occurs because ADMT does not copy the inheritable access control entry (ACE) . In affected builds, TSecurableObject::ResolveACL uses the following code: 

if (EqualSid(otherAce.GetSid(), oldAce.GetSid()))
{
bOkToAdd = FALSE;
break;
}

This code prevents the second ACE with the same security identifier (SID) from being copied. As a result, the logic is changed to the following code: 

// check ACE type, flag, mask and sid parts
// note: ignore the ace size part because it is not determining factor
if (EqualSid(otherAce.GetSid(), oldAce.GetSid()) && otherAce.GetType() == oldAce.GetType()
&& otherAce.GetFlags() == oldAce.GetFlags() && otherAce.GetMask() == oldAce.GetMask())
{
bOkToAdd = FALSE;
break;
}

Keywords: kbbug KB322917



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/322917&oldid=380900
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki