Replicating ACLs with Extended Attributes Using Content Deployment in Active Directory Environment

ID: Q244616

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.

The information in this article applies to:

Microsoft Site Server version 3.0

SYMPTOMS

One of the following two symptoms may occur, depending on the different domain environments:

If two servers are a member of Windows NT 4.0-style domains, you receive the following error message when you try to view the ACL on a computer running Windows NT 4.0:

The security information for %path% is not standard and cannot be displayed. Windows NT 3.x and 4.x support certain features such as DenyAccess Control Entries but cannot edit security information which uses these features. The information may have been modified by a computer running Windows NT 5.0, which supports these features and can edit information which uses them.

Do you want to overwrite the current security information?

If neither computer is a member of an Active Directory domain, ACL replications between Windows NT 4.0 and Windows 2000 may fail with the following error in the Windows NT Application event log:

15179: Could not set ACLs appropriately on file %path%, setting default ACLs on this file.

On the destination, the ACL has been set to Administrators/Full Control.

CAUSE

When Content Deployment is unable to resolve a user name with a No Access attribute, it sets the Default ACL of Administrator/Full Control. This is to avoid a possible security violation in the event that an unresolved user with a Deny Access ACE is a member of a resolved group with access.

Windows 2000 offers a new, more granular level of Access Control Entries than those available in Windows NT 4.0. In a Windows NT 4.0 domain, the ACL replication completes without error. In an Active Directory-enabled domain, Windows NT 4.0 is unable to resolve these new attributes. Therefore, it takes the safest route and assumes they are No Access ACEs.

RESOLUTION

Windows NT 4.0 Service Pack 4 (SP4) offers a new Security Configuration Manager (SCM) that enables the extended attributes on computers running Windows NT 4.0. Install the SCM on all computers running Windows NT 4.0 in route to any computer that is using extended attributes. The SCM is a separate install that must be run in addition to the SP4 Update.exe program.

MORE INFORMATION

For additional information on Windows NT 4.0 Service Pack 4 (SP4), click the article number below to view the article in the Microsoft Knowledge Base:

QQ152734 How to Obtain the Latest Windows NT 4.0 Service Pack

REFERENCES

Q195509 Installing SCM from SP4 Changes Windows NT 4.0 ACL Editor

Additional query words:

Keywords : kbWinOS2000
Version : winnt:3.0
Platform : winnt
Issue type : kbprb