TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

BUSINESS
Playing for Iraq's jackpot

Coke & smoke bite Dow

Sun Microsystems posts tiny profit

(MORE)

MARKETS	4:30pm ET, 4/16
DJIA	144.70	8257.60
NAS	3.71	1394.72
S&P	10.90	879.91

SPORTS
Jordan says farewell for the third time

Shaq could miss playoff game for child's birth

Ex-USOC official says athletes bent drug rules

(MORE)

All Scoreboards

WORLD

Quake help not fast enough, says Indian PM

U.S.

Bush: No help from Washington for California power crunch

POLITICS

Bush signs order opening 'faith-based' charity office for business

LAW

Prosecutor says witnesses saw rap star shoot gun in club

ENTERTAINMENT

Can the second 'Survivor' live up to the first?

HEALTH

Heart doctors debate ethics of testing super-aspirin

TRAVEL

Nurses to aid ailing airline passengers

FOOD

Texas cattle quarantined after violation of mad-cow feed ban

ARTS & STYLE

Ceramist Adler adds furniture to his creations

(MORE HEADLINES)

MAINPAGE WORLD U.S. WEATHER BUSINESS SPORTS

TECHNOLOGY

computing personal technology

SPACE HEALTH ENTERTAINMENT POLITICS LAW CAREER TRAVEL FOOD ARTS & STYLE BOOKS NATURE IN-DEPTH ANALYSIS LOCAL
EDITIONS:
CNN.com Europe change default edition
MULTIMEDIA:
video video archive audio multimedia showcase more services

E-MAIL:

Subscribe to one of our news e-mail lists.
Enter your address:

DISCUSSION:

chat
feedback

CNN WEB SITES:

CNNfyi.com
CNN.com Europe
AsiaNow
Spanish
Portuguese
German
Italian
Danish
Japanese
Chinese Headlines
Korean Headlines

TIME INC. SITES:

CNN NETWORKS:

CNN anchors
transcripts
Turner distribution

SITE INFO:

help
contents
search
ad info
jobs

WEB SERVICES:

Microsoft to patch Active Directory

From...

February 25, 2000
Web posted at: 8:09 a.m. EST (1309 GMT)

by John Fontana and Sharon Gaudin

(IDG) -- Less than a week after releasing Windows 2000, Microsoft is already working on a patch for Active Directory that addresses problems with the directory's user administration features.

While Microsoft was engaged in another directory tit-for-tat last week with Novell, company officials acknowledged that at least one fix for Active Directory will be in the first Win 2000 service pack. No date has been set for the shipment of the service pack.

MESSAGE BOARD

Microsoft

The acknowledgement of the Active Directory flaw came at the Windows 2000 Conference and Expo, which featured packed Active Directory conference sessions and some 200 Microsoft partners who lined up behind the official release of Win 2000.

MORE COMPUTING INTELLIGENCE

IDG.net home page

The state of NT security

An unbreakable code you can use

The best security action plan for your site

IDG.net's network operating systems page

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for network experts

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

The patch addresses a problem pointed out by members of Microsoft's Joint Development Program, a group of early adopters and high-level beta testers. Those people pressured the firm to address the issue they say could seriously complicate management of groups of users, according to sources.

The problem centers on Active Directory's requirement that administrators manage user groups as a single entity, or attribute, and not by individual user - a concept called multivalued attributes. Multivalued attributes mean administrators must update the entire attribute, or list, to add or delete even one name. If two administrators make changes to the list, one set of changes can be lost during replication. The result could be that a user deleted from a group membership could inadvertently be added back into the group and regain access rights and permissions associated with the group. Active Directory recognizes the list as one lump and cannot differentiate individual changes.

"This problem with multivalued attributes is only one administrator gets his changes logged in. Whichever administrator clicks last, wins,'' says J.R. Cunningham, lead systems administrator with CBS MarketWatch.com, an online financial news service in San Francisco. "If you have 5,000 end users with e-mail accounts, this is a pretty significant problem.''

"The real issue is that it can be a security risk," says a systems analyst for a large multinational oil and gas company who asked not to be identified. "We're glad Microsoft is addressing it." The systems analyst said the workaround is to keep administration of group membership lists centralized and not spread it out over geographically distributed replicas of Active Directory.

"In large firms where you depend on replication, multivalued attributes could be a serious problem," says Laura DiDio, an analyst with Giga Information Group, a consultancy in Cambridge, Mass. "An administrator thinks he has something set up, but he doesn't. It could lead to anything from network errors to system crashes. It would be a massive time suck, especially when people are trying to get up to speed on a new operating system."

"The issue is a side effect of multimaster replication, and we are fixing it in the first service pack," says Pete Houston, group product manager for Active Directory. "The directory will go to another level of depth to investigate changes and do conflict resolution within groups." Houston says for now users shouldn't administer user groups from two locations.

Microsoft also recommends that nests of users be created within a single group-membership list to avoid conflicts when changes are made. Each nest can be managed as its own entity. But to support nesting within groups, users will have to update all their domain controllers to Win 2000.