ISecurityCallContext::IsUserInRole Does Not Work If Domain Global Groups Are Members of the Specified Role (286769)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Professional SP1
This article was previously published under Q286769 SYMPTOMS
ISecurityCallContext::IsUserInRole may return FALSE instead of TRUE if the User ID that is being checked is in a domain global group, and that global group is a member of the specified role. If any global groups are members of the specified role, IsUserInRole returns FALSE, even if the specified User ID is a member along with the global groups. This problem occurs on computers that are joined to a domain; this problem does not occur on a domain controller.
CAUSE
This problem occurs because of a limitation in the Win32 application programming interface (API) GetEffectiveRightsFromAcl. This API returns error 1355 if the access control list (ACL) (which is specified in the first parameter in this function) contains an access control entry (ACE) that specifies a domain global group security identifier (SID).
RESOLUTIONTo resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
-----------------------------------------------------------
02/20/2001 12:51p 5.0.2195.2564 101,136 Ntmarta.dll
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
| Modification Type: | Minor | Last Reviewed: | 9/26/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbACL kbbug kbfix kbWin2000PreSP2Fix KB286769 |
|---|
|