Microsoft KB Archive/936925

From BetaArchive Wiki
< Microsoft KB Archive
Revision as of 18:38, 18 July 2020 by 3155ffGd (talk | contribs) (importing KB archive)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Knowledge Base


Article ID: 936925

Article Last Modified on 10/11/2007


APPLIES TO

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition


SYMPTOMS

When you add a Windows-Groups attribute as a policy condition of a remote access policy, you cannot add a domain local group as a group in the policy condition. This behavior occurs on a Microsoft Windows Server 2003-based computer that is running the Internet Authentication Service (IAS) service. In this situation, no domain local groups appear in the Search results list when you try to configure the policy condition. You experience this behavior even though you verify that a domain local group exists in Active Directory directory service.

CAUSE

This behavior occurs because the IAS service does not support using a domain local group as a remote access policy condition. This is true because the security ID (SID) of a domain local group is not unique throughout the forest.

Note On a Microsoft Windows Code Name "Longhorn"-based computer that is running Network Policy Server, you can select a domain local group as a condition in a network policy.

WORKAROUND

To work around this behavior, follow these steps.

Note Follow these steps if the IAS server is a member server.

  1. Create a local group in the security accounts manager (SAM) database.
  2. Configure the domain local group as a member of the local group on the member server.
  3. Configure the local group as a condition of the remote access policy.


MORE INFORMATION

Steps to reproduce the behavior

  1. On a domain controller, create a domain local group. Name this group "DomainLocal-1."
  2. Start the IAS Microsoft Management Console (MMC) snap-in on an IAS server that is joined to a domain, and then click Remote Access Policies.
  3. In the details pane, right-click a remote access policy, and then click Properties.
  4. Click Add.
  5. In the Select Attribute dialog box, click Windows-Groups, and then click Add.
  6. In the Groups dialog box, click Add.
  7. Click Advanced, and then click Find Now.

Notice that DomainLocal-1 does not appear in the Search results list.

REFERENCES

For more information about the network access policy in Longhorn, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver/longhorn/network-access-protection.mspx



Additional query words: RADIUS

Keywords: kbtshoot kbenv kbprb KB936925



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/936925&oldid=229962
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki