An important bug involving the operation of Active Directory won't be addressed until Microsoft releases the next version of its operating system.

The flaw, which carries security implications, involves the necessity for administrators to change the details of an entire user group, or attribute, to add or delete a single user.

If separate administrators alter the same list, one set of changes is dropped during replication. This means, among other things, that a user who leaves a firm and whose access rights are pulled could still access a network.

Neil MacDonald, Director of Research at Gartner, said "this is a huge problem and creates significant security exposure".

"Microsoft has promised to fix this in Whistler server (which we expect in 1Q2002). However, all domain controllers must be upgraded to Whistler in order to fix this problem," said MacDonald.

Microsoft has suggested procedures for directory administration that get around the problem but has now indicated that users will have to upgrade their directory servers, or domain controllers, to Windows XP in order to obtain a complete fix. In the meantime the software giant is advising users to make changes on a single domain controller, so bypassing the replication problem.

A fix was expected to be included in Service Pack 2 for Windows 2000 but this has now being put back, for reasons a cynic would suggest have a great deal to do with a disappointingly poor uptake of Microsoft Active Directory (MAD). The directory technology has not become a "killer application" for the many users rolling out Windows 2000, so Microsoft is now apparently ironing out the bugs and repositioning MAD as a key reason to move to Windows XP (Whistler). ®