Microsoft KB Archive/884117

From BetaArchive Wiki
Knowledge Base


Active Directory object permissions appear to duplicate other permissions in Windows Server 2003

Article ID: 884117

Article Last Modified on 2/7/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition



SYMPTOMS

On a Microsoft Windows Server 2003-based computer, when you use the ADSI Edit utility or use Active Directory Users and Computers to view special permissions for objects in the Active Directory directory service, you see permissions that appear to duplicate other permissions. The following permissions are listed in the Permissions list on the Properties tab of the Permission Entry for ObjectName dialog box:

  • Read name
  • Write name
  • Read Name
  • Write Name

The permissions that are listed differ only by the capitalization of one character in the name. The difference between the permissions is not clear.

CAUSE

The permissions that appear to duplicate other permissions represent permissions for different properties of an attribute. A permission with a lowercase "n" in its name applies to the relative distinguished name of the attribute. A permission with an uppercase "N" in its name applies to the common name (CN) of the attribute.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The names of attributes that the Active Directory administrative tools display are determined by display specifiers. The display specifier defines the display name of the rdn property as "name" (without the quotation marks). The display specifier defines the display name of the cn property as "Name" (without the quotation marks).

Display specifiers are stored in locale-specific containers. The locale-specific containers are stored in the CN=DisplaySpecifiers container. The CN=DisplaySpecifiers container is stored in the Configuration container. If a display specifier is not available, the Active Directory administrative tools use the display name that is specified by the lDAPDisplayName property.

For more information about display specifiers, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms675905.aspx


Keywords: kbwinservds kbactivedirectory kbprb kbpending kbbug kbtshoot KB884117



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/884117&oldid=209173
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki