Article ID: 810070
Article Last Modified on 2/27/2007
APPLIES TO
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Workstation 4.0 Developer Edition
SYMPTOMS
When you try to add a security principal, such as a user or a group, from one domain to a group that is located in a separate trusted domain, the addition of that security principal may be unsuccessful and the Foreign Principal Object (FPO) that is created during the operation to represent this security principal between the two trusts may become corrupted.
CAUSE
This behavior may occur if you have installed previous versions of any of the hotfixes that are described in the "More Information" section of this article.
RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
WORKAROUND
To work around this problem, remove the previous version of the hotfix, and then reinstall the new updated version.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
MORE INFORMATION
When you add a security principal (for example, a user or group) from a particular domain to a group that belongs to another trusted domain, the directory service creates a Foreign Principal Object (FPO) that represents this security principal in the trusted domain to which you want to add it. The versions of the Ntdsa.dll file (versions 5.0.2195.5886 to 5.0.2195.6043) that are installed when you apply previous versions of the hotfixes that are listed in the following Microsoft Knowledge Base articles introduce an incorrect behavior. The FPO that is created when you add security principals to a group that is in a trusted domain may be created without a GUID. This behavior may cause the addition of that security principal to the group to be unsuccessful, and the created FPO to be corrupted.
The hotfixes that are described in the following Microsoft Knowledge Base articles have been updated to include the latest version of the Ntdsa.dll file. If you have installed a previous version of any of these hotfixes, and if your Windows 2000-based network uses multiple domains, remove the previous version of the hotfix and then update your computer with the new updated version of the hotfix.
Affected Hotfixes
327825 New Resolution for Problems That Occur When Users Belong to Many Groups
290816 Underscore in a Network Resource Name for Windows 2000 Cluster Could Not Be Created
304229 16-Bit OLE Servers Started from 16-Bit Programs Create Extra VDMs in Terminal Server Sessions
313494 Microsoft Cryptography API May Not Work If the Default CSP Has Been Set Incorrectly
314446 HasMasterNCs Attributes for Server Objects in the Configuration Container May Become Damaged
318253 Auditing May Not Work for User Logoff
318873 The PKI Dialog Box Appears Multiple Times If You Click Cancel
322346 You Cannot Access Protected Data After You Change Your Password
326797 Some Windows 2000 Active Directory Hotfixes May Cause a Conflict with SP3 for Windows 2000
326836 Windows 2000 Desktop Blinks When Explorer.exe Repeatedly Stops Responding
327784 Windows 2000 Server May Hang After a Local Backup Completes
328477 Services.exe May Hang When You Restart a Service
328567 An Access Violation Occurs When a Program Tries to Update Active Directory
328715 "0x8000500d" Error Message When ADSI Tries to Retrieve an Attribute with a Semicolon in Its Name
325804 User Context May Not Have Sufficient Access Rights When You Use the LogonUser Property
Keywords: kbother kbwin2ksp4fix kbpending kbbug KB810070
