PQ58079: CAN'T REMOVE PERMISSIONS THAT BELONG TO BUILTIN

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed as program error.

Error description
Environment:
WebSphere Application Server 3.5.4 AE for Windows
.
Description:Environment:WebSphere Application Server 3.5.4 AE for Windows.
When WAS 3.5.4 security is enabled, the Windows box is part of a Windows network domain, Local OS is used, and the WAS service is set to run as Local System, default builtin local Windows groups appear in the Configure Permissions task with BUILTIN instead of the hostname. Trying to remove these BUILTIN group permissions fails in that when they are removed and the Configure Permissions task is run again, the BUILTIN permissions still exist.
Description:When WAS 3.5.4 security is enabled, the Windows box is partof a Windows network domain, Local OS is used, and the WASservice is set to run as Local System, default builtin localWindows groups appear in the Configure Permissions task withBUILTIN instead of the hostname. Trying to remove these BUILTINgroup permissions fails in that when they are removed and theConfigure Permissions task is run again, the BUILTINpermissions still exist.
Local fix
The workaround is to use XMLConfig to remove these BUILTIN
groups.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users of    *
*                 security                                     *
****************************************************************
* PROBLEM DESCRIPTION: BUILTIN not handled by GUI              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When setting the IBM WS Server service to run as System in the
Windows OS instead of as a user when the Windows box that WAS
is running on is connected to a Windows domain, the task/wizard
to Configure Permissions won't allow users and groups of the
local WIndows box added as permissions to method groups to be
removed. This seems to be because when the IBM WS Server
service is running as System, the Windows API returns
BUILTIN/<user or group> instead of the server name, and WAS
doesn't recognize that BUILTIN is the same as the local
Windows machine.
Problem conclusion
BUILTIN account is now being handled properly in WebSphere
Application Server.
Temporary fix
PQ58079_354_test.jar
Comments
APAR information
APAR numberPQ58079
Reported component nameWAS STANDARD NT
Reported component ID5648C8301
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2002-02-19
Closed date2002-02-25
Last modified date2002-02-25

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:


Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWAS STANDARD NT
Fixed component ID5648C8301

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ58079
IBM Group: Software Group
Modified date: 2002-02-25