Microsoft KB Archive/324922

= How to prevent domain administrators from converting a domain to Native Mode =

Article ID: 324922

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q324922



SUMMARY
This article describes how to make the Change Mode button for domain mode conversion unavailable to domain administrators. This reduces the chance that an administrator who does not have Enterprise Administrator rights can convert a domain from Mixed Mode to Native Mode.

Note If you remove the write permission from the nTMixedDomain property, the Change Mode button is unavailable to domain administrators. However, domain administrators can make the button available again by granting themselves write permission to this property.



MORE INFORMATION
To make the Change Mode button unavailable to domain administrators, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) On the View menu, click Advanced Features.
 * 3) In the left pane, right-click the domain name, and then click Properties.
 * 4) Click the Security tab, and then click Advanced.
 * 5) Click Add, type Administrators in the Name box, and then click OK.
 * 6) Click the Properties tab.
 * 7) In the Apply onto drop-down list, make sure that This object only is selected.
 * 8) In the Permissions list, click to select the Deny box for Write NTMixedDomain, and then click OK two times.
 * 9) Click Yes if you are prompted, and then click OK.

To make the Change Mode button available again, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) On the View menu, click Advanced Features.
 * 3) In the left pane, right-click the domain name, and then click Properties.
 * 4) Click the Security tab, and then click Advanced.
 * 5) In the Permission Entries list, click the Administrators entry for which you denied write permission, and then click Remove.
 * 6) Click Apply, and then click OK two times.

Keywords: kbinfo kbenv KB324922

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.