Domain local group from foreign domain can be added using "net localgroup" and GC search

Article translations Article translations
Close Close
Article ID: 959078 - View products that this article applies to.
Expand all | Collapse all
Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Symptom



"Net localgroup" on a vista domain member allows adding a domain local group from a trusted domain.

The membership is there but will never work as the SID will not appear in the access token of a user or computer connecting to the machine.

The GUI allows adding the group only when you focus on the GC.

The same behavior happens on Windows XP and Windows 2003,and Windows 2008.

Cause



The admin tools do not completely enforce the rules of the operating system security infrastructure.

NET.EXE is probably not programmed to distinguish between the groups types.

Object picker does not look at the group type when searching through the GC. When the group is selected, it does not check the location of the group and its flags.

Resolution



There is no resolution, the administrators need to be aware of the group evaluation rules, and that these foreign local groups are pointless on domain members.

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

Properties

Article ID: 959078 - Last Review: October 20, 2008 - Revision: 1.0
APPLIES TO
  • Windows Vista Ultimate
  • Windows Vista Enterprise
  • Windows Vista Business N 64-bit Edition
  • Windows Vista Business 64-bit Edition
  • Windows Vista Business
  • Windows Vista Ultimate 64-bit Edition
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
Keywords: 
kbnomt kbrapidpub KB959078

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com