Resource Access Issues in Windows NT 3.51 in Windows 2000 Domain

ID: Q222523

The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server version 3.51

SYMPTOMS

Access to server resources protected by Universal groups is denied or allowed when the opposite should occur.


CAUSE

Windows 2000 includes two new capabilities that are not supported by Windows NT 3.51 workstations and servers:

  • Universal groups


  • Domain consolidation by moving accounts between domains



RESOLUTION

To avoid these problem cases, upgrade your Windows NT 3.51 workstations and servers to at least Windows NT 4.0.


STATUS

Microsoft has confirmed this to be a problem in Windows 2000.


MORE INFORMATION

When a user is a member of a Universal group and logs onto a Windows NT 3.51 workstation and tries to access a network resource protected by an ACL entry (ACE) referencing that Universal group, the entry (which could be a GRANT or DENY ACE) will not be considered during the access check. Likewise, if a user's account or groups have been moved from another domain, and the user logs onto a Windows NT 3.51 workstation, the user may be improperly granted or denied access to network resources whose ACEs reference the old (pre-move) user or group accounts.

A similar situation occurs when a user whose account or groups have been moved, or who belongs to a Universal group, tries to access a Windows NT 3.51 server protected by ACEs referencing the old user or group accounts, or the Universal group. Because these ACEs are not considered during access checking, the user may be improperly granted or denied access to the Windows NT 3.51 server.

These inconsistencies result from the fact that Windows NT 3.51 access tokens do not support:

  • SIDs of Universal groups defined outside of the user's account domain
  • SIDhistories (that is, SIDs of former domain accounts) of users and groups that have been moved from another domain
A Windows NT 3.51 access token only contains SIDs from the user's account domain. SIDs from other domains, namely SIDs of Universal groups defined in other domains and moved account SIDhistories, do not appear in the token of a user logging onto a Windows NT 3.51 workstation. These omissions could result in unauthorized access to resources or denial of access.

Additional query words:

Keywords : kbenv ntsecurity
Version : WINDOWS:2000; winnt:3.51
Platform : WINDOWS winnt
Issue type : kbprb


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.