The AuthzInitializeContextFromSid function returns the domain local group information from the root domain instead of from the child domain on a Windows Server 2003-based computer

Consider the following scenario:

• You have a root domain that is called root.com and a child domain that is called child.root.com. The administrator of the root domain has been added to the Domain Administrators group on the child domain.
• User A is a member of the domain local group in the child domain and in the root domain.
• On a Windows Server 2003-based member server in the child domain, you call the AuthzInitializeContextFromSid function to query the group information for User A in the child domain.
• The AuthzInitializeContextFromSid function runs in the context of the administrator of the root domain.

In this scenario, the AuthzInitializeContextFromSid function returns the domain local group information from the root domain instead of from the child domain.

Note This issue does not occur in Microsoft Windows 2000.

Windows Server 2003 supports Service-for-User (S4U). A service uses S4U to obtain a Kerberos ticket to itself on behalf of a user. If the service is running in the root domain context, group expansion happens in the context of the root domain. Group expansion does not occur in the child domain even though the SID for which the group expansion occurs is from the child domain. Therefore, the function returns domain local group information from the root domain instead of from the child domain.

To work around this issue, use one of the following methods.

Method 1

Do not use administrator credentials from the root domain to run the AuthzInitializeContextFromSid function to retrieve group information for users in child domains. Instead, use the administrator credentials from the child domain to run the function.

Method 2

Use global groups instead of domain local groups.

For more information about the AuthzInitializeContextFromSid function, visit the following Microsoft Web site: