Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You cannot add a domain local group as a group in the policy condition on a Windows Server 2003-based computer that is running the IAS service


View products that this article applies to.

Symptoms

When you add a Windows-Groups attribute as a policy condition of a remote access policy, you cannot add a domain local group as a group in the policy condition. This behavior occurs on a Microsoft Windows Server 2003-based computer that is running the Internet Authentication Service (IAS) service. In this situation, no domain local groups appear in the Search results list when you try to configure the policy condition. You experience this behavior even though you verify that a domain local group exists in Active Directory directory service.

↑ Back to the top


Cause

This behavior occurs because the IAS service does not support using a domain local group as a remote access policy condition. This is true because the security ID (SID) of a domain local group is not unique throughout the forest.

Note On a Windows Server 2008-based computer that is running Network Policy Server, you can select a domain local group as a condition in a network policy.

↑ Back to the top


Workaround

To work around this behavior, follow these steps.

Note Follow these steps if the IAS server is a member server.
  1. Create a local group in the security accounts manager (SAM) database.
  2. Configure the domain local group as a member of the local group on the member server.
  3. Configure the local group as a condition of the remote access policy.

↑ Back to the top


More information

Steps to reproduce the behavior

  1. On a domain controller, create a domain local group. Name this group "DomainLocal-1."
  2. Start the IAS Microsoft Management Console (MMC) snap-in on an IAS server that is joined to a domain, and then click Remote Access Policies.
  3. In the details pane, right-click a remote access policy, and then click Properties.
  4. Click Add.
  5. In the Select Attribute dialog box, click Windows-Groups, and then click Add.
  6. In the Groups dialog box, click Add.
  7. Click Advanced, and then click Find Now.
Notice that DomainLocal-1 does not appear in the Search results list.

↑ Back to the top


References

For more information about the network access policy in Windows Server 2008, visit the following Microsoft Web site:

↑ Back to the top


Keywords: kbenv, kbtshoot, kbprb, KB936925

↑ Back to the top

Article Info
Article ID : 936925
Revision : 5
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 409