Microsoft KB Archive/259392

{|
 * width="100%"|

INFO: Domain Local Group Scope in Windows 2000 Domain Operation Modes

 * }

Q259392

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), included with:
 * the operating system: Microsoft Windows 2000

-

SUMMARY
This article explains the scope of the Active Directory Domain Local Group in a Windows 2000 domain and how the Domain Local Security Group scope is applied in an access token associated with a logged on user.

MORE INFORMATION
A Windows 2000 domain that is operating in mixed mode can have Microsoft Windows NT 4.0 Backup Domain Controllers (BDCs) as members of the domain. However, a Windows 2000 domain that is operating in native mode cannot have Microsoft Windows NT 4.0 BDCs as members of the domain. If a Windows 2000 domain is operating in mixed mode, the scope of a Domain Local Group is within the set of domain controllers only. The domain controllers include Windows 2000 domain controllers as well as Windows NT 4.0 BDCs. The Windows 2000 Domain Local Group Scope behaves similarly to the Windows NT Local Group in mixed mode. If the Windows 2000 domain is operating in native mode, the scope of a Domain Local Group is within all the members of the domain.

Active Directory groups can be either security or distribution groups. Only security groups listed in Access Control Lists (ACLs) can be used to secure resources and objects. Distribution groups are not security enabled. The access control functions allow any valid group SID to be specified in an Access Control Entry (ACE). However, the token that is generated by the system for a logged on user has only security groups.

In a Windows 2000 domain that is operating in mixed mode, if a domain user logs in who is a member of a Domain Local Security Group, the token that is generated for the logged on user will not have Domain Local Security Group in TOKEN_GROUPS.

In a Windows 2000 domain that is operating in native mode, if a domain user logs in who is a member of a Domain Local Security Group, the token that is generated for the logged on user has Domain Local Security Group in TOKEN_GROUPS.