Hi again, I did some research on S-1-1-0. Microsoft reserves this and by their documentation you cannot change whether an individual user is considered a member of this group or not. The only change they mention to the behavior of this is that prior to Windows XP SP2, anonymous users were considered to have S-1-1-0, while after Windows XP SP2, they were not. It is possible that there is a global configuration setting for S-1-1-0 group affinity for ALL users, but I haven't found any solid indication of that, either.
Karl On Wed, May 4, 2011 at 11:26 AM, Karl Wright <daddy...@gmail.com> wrote: > Hi Kadri, > > Shinichiro Abe has been using the Active Directory authority connector > actively and successfully recently. I've asked him to verify the > change that I proposed for detecting the user-not-found condition more > reliably. I am still waiting for his response. > > The code would not be adding the S-1-1-0 group if it was being > returned by Active Directory, but in my tests (now more than a year > ago) on Windows Server 2000 and Windows Server 2003, it never did get > returned. And yet it was critically important, which is why I had no > choice but to add it manually. > > Since it is a well-known group with a standard definition, there > should be no concern that there would be a conflict. The only > potential issue could be that not all users have S-1-1-0. I'd love to > see any indication that this can ever be the case. If so, there must > be a way to detect this detail through LDAP, which we'd have to learn > somehow. > > Karl > >
