Microsoft KB Archive/295323

= Windows NT 4.0 Policies May Not Work in a Windows 2000 Domain =

Article ID: 295323

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q295323



SYMPTOMS
After you upgrade a domain that is running Windows NT 4.0 to Windows 2000, Windows NT 4.0 policies may not be applied to client computers that are running Windows NT 4.0; instead, the policy that applies to the default user may be applied to all of the users.



CAUSE
This behavior can occur if you click the Permissions compatible only with Windows 2000 servers option when you run Dcpromo.exe if the clients that are running Windows NT 4.0 are running Service Pack 4 (SP4) or earlier.



RESOLUTION
To work around this behavior, use one of the following methods:  Apply Service Pack 6a (SP6a).

-or- Add the Everyone group to the Pre-Windows 2000 Compatible Access group if you cannot roll out SP6a immediately. Note that you cannot add the Everyone group by using the Active Directory Users and Computers snap-in. To add the Everyone group, type the following command at a command prompt, and then press ENTER (note that the quotation marks are necessary in the command because the target group name contains spaces):

net localgroup &quot;Pre-Windows 2000 Compatible Access&quot; everyone /add

You can reverse this command if you type the following command at a command prompt and then press ENTER:

net localgroup &quot;Pre-Windows 2000 Compatible Access&quot; everyone





STATUS
This behavior is by design.



MORE INFORMATION
When a user logs on to a domain from a computer that is running Windows NT 4.0, the computer checks for policies that are in effect on the domain. If there are policies in effect, then the computer queries the domain controller by using the NetUserGetGroups function to find the groups to which the user belongs. This function is made with null credentials from a computer that is running Windows NT 4.0 SP4. This behavior is modified in Service Pack 6 (SP6).

For more information about this behavior, view the following Microsoft Web site:

http://msdn.microsoft.com/library/psdk/network/ntlmapi2_10xf.htm

For additional information about permissions and Dcpromo, click the article number below to view the article in the Microsoft Knowledge Base:

257988 Description of Dcpromo Permissions Choices

Keywords: kbdcpromo kbdomain kbenv kbprb KB295323

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.