With IgnoreDomain=1 Option, ACL Can Be Matched to Wrong Account

Last reviewed: February 27, 1998
Article ID: Q181812
The information in this article applies to:
  • Microsoft Commercial Internet System version 1.0 SP1 - Microsoft Content Replication System
  • Microsoft Site Server version 2.0 SP1 - Microsoft Content Replication System

SYMPTOMS

If you use the IgnoreDomain=1 option, and the same account name exists in multiple domains, the access control lists (ACLs) can be matched to the wrong account. If you use the Ignore=0 option, all user-created local accounts are lost. These are the built in accounts: Administrators, Backup Operators, Everyone, Guests, Interactive, Network, Power Users, Replicator, Users. The Authenticated Users account, which was added in Windows NT 4.0 SP3, is treated as if it is a local account. Thus, it is dropped when IgnoreDomain=0. These are the built-in (system) local groups: Administrators, Backup Operators, Guests, Power Users, Replicator, Users.

CAUSE

The Content Replication System (CRS) maps ACL entries in one of two ways, according to the IgnoreDomain flag:

IgnoreDomain=1 Well-known accounts, built-in local groups, and user-created accounts are correctly mapped to the SID of the account on the end-point computer. Domain accounts are mapped to the first domain that has that account. The LookupAccountName request is passed to remote domains if the local domain does not match the SID of the account. Accounts that are not matched are dropped.

IgnoreDomain=0 on Target and Source Well-known accounts and built-in local groups are correctly mapped to the SID of the well-known account on the end-point computer. User-created local accounts are dropped. Domain accounts are exactly mapped to preserve the domain name. The LookupAccountName request will only return a SID if the account exists in that domain. Accounts that are not matched are dropped.

WORKAROUND

To work around this problem, assign local accounts to files and folders only when IgnoreDomain=1, or assign domain accounts only when IgnoreDomain=0.

RESOLUTION

If this behavior is a serious problem, then apply the fix described below. The new algorithm for IgnoreDomain=0 in the fix is to strip the domain name if it is equal to the machine name. This will cause local accounts on the start-point server to map to local accounts on the end-point server. If the account does not map to a local account, then it will be dropped.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Commercial Internet System, version 1.0 SP1 and Microsoft Site Server 2.0 SP1. A supported fix is now available, but it has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.


Additional query words: replicate MCIS
Keywords : kbbug2.00 ciscrs kbbug1.00
Version : WINNT:2.0
Platform : winnt
Hardware : ALPHA PPC x86
Issue type : kbbug
Solution Type : kbpending


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 27, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.