Published: 2002-10-22
Applies to: Content Studio ver. 3.2 + running on a server that
is member in Active Directory
Type: Information
More information
The Content Studio runtime account must have permissions to read all domain user's
group membership and their public information from Active Directory. This right
was granted by default in NT 4 domains but in Active Directory this permissions
are controlled by ACL:s on domain, container or object-level. In AD this permission
is emulated by the alias "Pre-Windows 2000 Compatibility Access" that by default
has the right to read this information. By default the Everyone group is member
of this group but if an administrator has removed this group it is likely that the
Content Studio runtime will fail reading the needed information. Make sure that
this runtime account is a member of this alias. Content Studio uses this user information
when a user opens a session i Content Studio in order to be able to detect the users
full name and her group membership. This information is cached internally in the
user session and without it Content Studio cannot authenticate the user and access
is denied. By using Active Directory ACL:s it is possible to prevent users
to enter Content Studio unless they are using Anonymous Access. Just prevent the
runtime account to read public information on a certain OU or on a certain user
object in AD. The user will then get Access denied directly after doing a Windows
logon in Internet Explorer.