Microsoft KB Archive/263833

{|
 * width="100%"|

Demoting the Domain Controller Affects Permissions Containing Domain Local Groups

 * }

Q263833

-

The information in this article applies to:


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server

-

SUMMARY
When using Microsoft Windows 2000 Server and Advanced Server in mixed mode, the boundaries for domain local groups are the domain controllers for the current domain. The boundaries can only be used to assign Windows NT File System (NTFS) permissions or share permissions, for example, on domain controllers for the current domain.

When a domain controller is demoted, local groups are still accessible for the purposes of validating the group. File permissions or share permissions containing the domain local group still function. However, after the demotion, you are not able to add domain local groups to either the file or share permissions until the domain is switched to native mode.

MORE INFORMATION
A domain controller for Microsoft Windows NT 4.0 and Microsoft Windows 2000 can contain local groups that are not accessible or useable on a member server or workstation while the domain is in mixed mode. The domain controllers establish the boundaries of the local group. When a domain controller is demoted to a member server, NTFS permissions or share permissions that contain the domain local group continue to function. Members of the local group are still able to access the resource.

By opening the security properties on the resource, you can determine whether the group is assigned to and if it can be resolved by a domain controller. When a group or user cannot be resolved, the security identifier (SID) is listed instead of the friendly name. Even though the local group can be viewed with existing permissions, it cannot be added to any other permissions on the demoted server. Switching the domain to native mode provides the group flexibility to add domain local groups to the resources. This ground rule applies to Windows 2000 domain controllers that have been demoted as well as to Windows NT 4.0 domain controllers that have been upgraded and left as member servers during the upgrade process.

For additional information about domain local groups, click the article number below to view the article in the Microsoft Knowledge Base:

"Q259392 INFO: Domain Local Group Scope in Windows 2000 Domain Operation Modes" Additional query words:

Keywords : kbenv kbtool

Issue type : kbinfo

Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbWinAdvServSearch