SMS: MMC Security Rights Do Not Work If User Belongs to More Than 64 Global Groups

ID: Q240155

The information in this article applies to:
  • Microsoft Systems Management Server version 2.0

SYMPTOMS

If a user is a member of more than 64 global groups, that user may be unable to gain access to the Microsoft Management Console (MMC) Systems Management Server (SMS) Administrator Console nodes using class permissions inherited from global group membership.


CAUSE

This behavior occurs because SMS Provider incorrectly enumerates the global groups of which the user is a member and may not get the global group to which the permissions are applied.


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Systems Management Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English-language version of this fix should have the following file attributes or later: 

   Date      Time      Version      Size     File name    Platform
   ---------------------------------------------------------------
   9/22/99   6:33pm  2.0.1380.1042  469,952  Baseutil.dll i386
   9/22/99   6:33pm  2.0.1380.1042  721,168  Baseutil.dll Alpha
NOTE: Due to file dependencies, the most recent hotfix or feature that contains the above files may also contain additional files.



WORKAROUND

To work around this behavior, grant explicit class rights to user accounts instead of to global groups.


STATUS

Microsoft has confirmed this to be a problem in Systems Management Server version 2.0.


MORE INFORMATION

To install the hotfix, use the appropriate method on the Systems Management Server site server.

Method 1: Using the Hotfix Installer

NOTE: You can only use this method on I386-based computers.
  1. Copy the hotfix folder structure to a share on your network. Q241734.exe is a Microsoft Windows Installer file that updates specific files on your site server.


  2. Log on to your site server using an account with administrative privileges.


  3. On the site server, close the Systems Management Server Administrator console.


  4. Run Q240155.exe and follow the directions in the wizard. You can run the file in Quiet mode using the /s switch.


Method 2: Manual Installation

  1. Stop the Systems Management Server Site Component Manager, Systems Management Server Executive, and Windows Management services on the site server.


  2. Replace the Baseutil.dll file in the sms_root_directory\bin\platform folder with the version obtained from the hotfix.


  3. Restart the Systems Management Server Site Component Manager, Systems Management Server Executive, and Windows Management services.


Additional query words: prodsms global group permission

Keywords : kbSecurity kbSMS200 kbSMS200bug kbSMSAdmin
Version : winnt:2.0
Platform : winnt
Issue type : kbbug


Last Reviewed: November 18, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.