DOCUMENT:Q305332 08-MAY-2002 [sms] TITLE :SMS: Permissions Assigned to Domain Local Groups Do Not Work PRODUCT :Microsoft Systems Management Server PROD/VER::2.0 OPER/SYS: KEYWORDS:kbenv kbtool kbsms200 kbsms200preSP4fix ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Systems Management Server version 2.0 ------------------------------------------------------------------------------- SYMPTOMS ======== After you apply the post Systems Management Server 2.0 (SMS) Service Pack 3 (SP3) hotfix for Q266712 or SMS 2.0 Service Pack 4 (SP4) or later on your SMS 2.0 primary site, users of the SMS Administrator console may be unable to enumerate SMS objects such as collections. Prior to the application of the hotfix, users were able to inherit permissions that were assigned to domain local groups. CAUSE ===== The fix that is included with Q266712 contains a change in how a user's groups are enumerated by the SMS provider. Because of this change, using domain local groups to assign permissions is no longer possible on member servers. Note that domain local groups still work when the SMS provider resides on a domain controller (DC). WORKAROUND ========== To work around this issue, use any of the following methods individually: - Use domain global groups to grant access and assign permissions to SMS object classes and instances. - Use machine local groups to grant access and assign permissions to SMS object classes and instances. - Use individual user accounts to grant access and assign permissions to SMS object classes and instances. MORE INFORMATION ================ To experience the issue that is described in this article, the SMS provider (either on the SMS site server or SQL server) must be installed on a member server. For additional information about the fix that is included in Q266712, click the article number below to view the article in the Microsoft Knowledge Base: Q266712 Security Based on Global Groups Fails in Win 2000 Domains For additional information about troubleshooting general SMS Administrator console connectivity, click the article number below to view the article in the Microsoft Knowledge Base: Q201126 SMS: Troubleshooting Connectivity to the SMS Site Database For general information about SMS security, please view the following SMS Security Essentials Whitepaper: http://www.microsoft.com/smsmgmt/techdetails/secessentials.asp Additional query words: prodsms smssecurity smsprov ====================================================================== Keywords : kbenv kbtool kbsms200 kbsms200preSP4fix Technology : kbSMSSearch kbSMS200 Version : :2.0 Hardware : x86 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.