Article ID: 2018746 - Last Review: April 27, 2010 - Revision: 5.0

GetEffectiveRightsFromAcl has problems with Language Packs and Universal Groups

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

Symptoms

When you are using the GetEffectiveRightsFromAcl API in your application you may encounter multiple problems:

  1. If users are members of various universal groups across multiple domains the results of the call may be incorrect, or the call may take a long time and result in high processor utilization. You may also notice substantial network traffic.

  2. If the computers executing the application are using Multilingual User Interface (MUI) (on Windows XP or Windows Server 2003), or have language packs installed (on Windows Vista and newer versions of Windows), and the user language differs from the system language, calls to the API may fail with return code 1355 which equates to error "The specified domain either does not exist or could not be contacted."
Back to the top

Cause

The API was introduced in Windows NT 4.0 to help transition those who have used similar facilities in Novell NetWare. This API, however, was not revised for new features affecting the execution of the API in later versions of the operating system. The problems listed above are caused by:

  1. The API uses Windows NT 4.0-style system calls to retrieve information about the groups the user is member of. These APIs do not support universal groups properly and potentially use global groups in the user domain instead of the correct universal groups, and generate incorrect results due to that. It may also happen that this problem creates group membership loops where none exist. The API has a loop termination that has significant processor and domain controller communication before the membership retrieval is terminated.

  2. The API uses resource strings to identify generic accounts from the "BUILTIN" and "NT AUTHORITY" domains. When the languages of user and system do not match, it is possible that it tries to find actual domains on the network by those names (or the localized counterparts). These domains will not be found, and thus the error 1355 is returned.
Back to the top

Resolution

Microsoft plans to phase out this API, because a better approach is available using AuthZ APIs.

Back to the top

More Information

The documentation about GetEffectiveRightsFromAcl on MSDN spells out a warning now, and it refers to better approaches about retrieving effective permissions using AuthZ APIs:

GetEffectiveRightsFromAcl Function
http://msdn.microsoft.com/en-us/library/aa446637(VS.85).aspx

Back to the top
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.
Back to the top
APPLIES TO
  • Microsoft Windows XP Professional
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows 7 Professional
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
Back to the top
Keywords: 
KB2018746
Back to the top