Article ID: 322917
Article Last Modified on 12/3/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Small Business Server 2003 Premium Edition
- Microsoft Windows Small Business Server 2003 Standard Edition
- Microsoft Windows NT 4.0
This article was previously published under Q322917
SYMPTOMS
After you use Active Directory Migration Tool version 2 (ADMTv2) to perform security translation, you may receive the following error message when you use Microsoft Windows NT 4.0 to view or edit the access control lists (ACLs) of the translated object:
Note that even when this problem occurs, security is still correctly processed and proper access controls are maintained. This problem only occurs when you are using Security Translation in ADD mode.
CAUSE
This problem may occur if you use a beta version of ADMTv2. If you do so, the translated security descriptor may be written in a format that cannot be read by computers that are running a version of Windows that is earlier than Microsoft Windows 2000.
RESOLUTION
This problem was resolved in ADMTv2 build 3624 lab03.
WORKAROUND
To work around this behavior, use REPLACE rather than ADD when you perform security translation.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
The problem occurs because ADMT does not copy the inheritable access control entry (ACE) . In affected builds, TSecurableObject::ResolveACL uses the following code:
if (EqualSid(otherAce.GetSid(), oldAce.GetSid())) { bOkToAdd = FALSE; break; }
This code prevents the second ACE with the same security identifier (SID) from being copied. As a result, the logic is changed to the following code:
// check ACE type, flag, mask and sid parts // note: ignore the ace size part because it is not determining factor if (EqualSid(otherAce.GetSid(), oldAce.GetSid()) && otherAce.GetType() == oldAce.GetType() && otherAce.GetFlags() == oldAce.GetFlags() && otherAce.GetMask() == oldAce.GetMask()) { bOkToAdd = FALSE; break; }
Keywords: kbbug KB322917