Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/943875

From BetaArchive Wiki

Article ID: 943875

Article Last Modified on 11/28/2007



APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems



SYMPTOMS

Consider the following scenario:

  • You have a Windows Server 2003 parent domain and a Windows Server 2003 child domain.
  • Authorization Manager is installed on servers in the parent domain or on servers in the child domain.
  • Security update 926122 or Windows Server 2003 Service Pack 2 is installed on the servers where Authorization Manager is installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    926122 MS07-039: Vulnerability in Windows Active Directory could allow remote code execution

In this scenario, you cannot add user accounts from one domain to a role that is in the Authorization Manager store of the other domain. Also, you cannot delete user accounts in one domain from a role that is in the Authorization Manager store of the other domain.

At this point, the operation appears to be successful in the user interface. However, after you close and then reopen Authorization Manager, the user interface presents the settings as they were before the operation.

Additionally, when you try to add new users to a user group by using their object globally unique identifiers (GUIDs), you receive the following Lightweight Directory Access Protocol (LDAP) error message:

DSA is unwilling to perform (53)

CAUSE

Authorization Manager cannot add a user security identifier (SID) that resides in another domain to a role. Also, Authorization Manager cannot delete a user SID that resides in another domain from a role.

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003


Restart requirement

You may have to restart the computer if the Azroles.dll file is being used.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 1, x86-based versions
File name File version File size Date Time Platform
Azroles.dll 5.2.3790.3038 234,496 02-Nov-2007 03:31 x86
Windows Server 2003 with Service Pack 2, x86-based versions
File name File version File size Date Time Platform
Azroles.dll 5.2.3790.4181 234,496 02-Nov-2007 07:25 x86
Windows Server 2003 with Service Pack 1, Itanium-based versions
File name File version File size Date Time Platform SP requirement Service branch
Azroles.dll 5.2.3790.3038 710,144 02-Nov-2007 05:38 IA-64 SP1 Not Applicable
Wazroles.dll 5.2.3790.3038 234,496 02-Nov-2007 05:38 x86 SP1 WOW
Windows Server 2003 with Service Pack 2, Itanium-based versions
File name File version File size Date Time Platform SP requirement Service branch
Azroles.dll 5.2.3790.4181 710,144 02-Nov-2007 05:40 IA-64 SP2 Not Applicable
Wazroles.dll 5.2.3790.4181 234,496 02-Nov-2007 05:40 x86 SP2 WOW
Windows Server 2003, x64-based versions
File name File version File size Date Time Platform SP requirement Service branch
Azroles.dll 5.2.3790.3038 419,840 02-Nov-2007 05:39 x64 SP1 Not Applicable
Wazroles.dll 5.2.3790.3038 234,496 02-Nov-2007 05:39 x86 SP1 WOW
Windows Server 2003 with Service Pack 2, x64-based versions
File name File version File size Date Time Platform SP requirement Service branch
Azroles.dll 5.2.3790.4181 419,840 02-Nov-2007 05:44 x64 SP2 Not Applicable
Wazroles.dll 5.2.3790.4181 234,496 02-Nov-2007 05:44 x86 SP2 WOW


WORKAROUND

To work around this problem, follow these steps:

  1. Create a local group in the domain where the Authorization Manager store resides.
  2. Add the user account from another domain to the local group.
  3. Assign the role to the local group.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates



Additional query words: AzMan

Keywords: kbexpertiseinter kbwinserv2003postsp2fix kbbug kbfix kbhotfixserver kbqfe KB943875