Article ID: 266712 - Last Review: October 27, 2006 - Revision: 3.1 SMS: Security Based on Global Groups Fails in Windows 2000 DomainsThis article was previously published under Q266712 SYMPTOMS
After granting Windows 2000 global groups permission within the Systems Management Server Administrator console, users of these groups may not inherit class or instance rights that are defined for the group. Users will be able to connect, and see the various nodes (such as collections), but will not be able to view any objects (such as All Systems). At the same time, users who are explicitly defined within Systems Management Server security, who do not rely on groups for access, inherit permissions as expected. NOTE: This may occur in either Windows 2000 Mixed, or Native Mode domains. NOTE: No errors are being generated, not even in the SMSProv log. CAUSE
The problem occurs when the SMS Provider uses an anonymous connection to retrieve the logged user's group membership from the PDC emulator. There are currently three known scenarios in which this problem occurs:
WORKAROUNDTo resolve this problem, obtain the latest service pack for Systems Management Server version 2.0. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
288239
(http://support.microsoft.com/kb/288239/EN-US/
)
SMS: How to Obtain the Latest Systems Management Server 2.0 Service Pack
MORE INFORMATION
The Systems Management Server Provider makes an anonymous connection to a domain controller in the domain to determine a users group membership. By default, Windows 2000 permits all authenticated users and members of the Pre-Windows 2000 Compatible Access group to view group membership. Because the Everyone group is a member of the Pre-Windows 2000 Compatible Access group by default, anonymous access can be used to retrieve group membership. APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
