Article ID: 884049
Article Last Modified on 12/3/2007
APPLIES TO
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Small Business Server 2003 Premium Edition
- Microsoft Windows Small Business Server 2003 Standard Edition
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
SYMPTOMS
When you are logged on to a Microsoft Windows Server 2003 computer, you view the access control list (ACL) for an object that is contained in the Active Directory directory service. You notice that user accounts that are members of the local Administrators group on the Windows Server 2003 computer appear to have permissions to Active Directory objects.
CAUSE
This problem occurs because the security identifier (SID) for the local Administrators group on a Windows Server 2003 is the same as the SID that is assigned to the Domain Administrators group.
WORKAROUND
To work around this problem, create a new security group, and then add the Domain Admins and Enterprise Admins groups to the security group. Then, use this new security group instead of the Domain Administrators group when you manage ACLs for Active Directory objects.
To create the new security group, follow these steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Expand
DomainName, right-click Users, point to New, and then click Group. - Type a name for your group in the Group name box, click to select either Domain local or Global in the Group scope box, click to select Security in the Group type box, and then click OK.
- In the right pane of the Active Directory Users and Computers snap-in, double-click the domain local security group that you just created.
- On the Members tab, click Add.
- Type the following in the Enter the object names to select (examples) box, and then click OK two times:
domain admins;enterprise admins
When you modify the ACL for an Active Directory object, use this group instead of the Domain Administrators group. This provides the same functionality as the Domain Administrators group, but uses a different SID.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
This is a problem with the way that effective permissions appear. There is no effect on how the permissions are applied.
The Administrators group in the domain is implemented as a BUILTIN\Administrators group on a domain controller and has a well-known SID of S-1-5-32-544. The local BUILTIN\Administrators group on any member server or workstation also has an SID of S-1-5-32-544.
When Windows Server 2003 calculates the effective permissions of an object, it matches the ACL of the object that is obtained from a domain controller with the SIDs of groups where the user is a member. These group SIDs are obtained locally. If the object ACL contains an SID of S-1-5-32-544 for Administrators group in the domain, and the user is a member of a local Administrators group, Windows Server 2003 cannot distinguish between the two accounts.
This problem is also true in reverse. If the user is a member of Administrators group in the domain and is not the member of local Administrators group, Windows Server 2003 does not show the correct list of permissions. This problem occurs because the group expansion is always performed locally. A computer that is not a domain controller or that is a workstation cannot expand a local group on the domain controller.
Additional query words: access permissions rights view
Keywords: kbnofix kbpermissions kbadmin kbaccounts kbtshoot kbbug kbprb KB884049
