Microsoft KB Archive/257942

From BetaArchive Wiki
Knowledge Base


Error Message: Unable to Browse the Selected Domain Because the Following Error Occurred...

Article ID: 257942

Article Last Modified on 3/1/2007


APPLIES TO

  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition


This article was previously published under Q257942


SYMPTOMS

When you are trying to add users from a Windows 2000-based domain to an access control list (ACL) or group on a Windows NT 4.0-based system, the list of users may not be enumerated and you may receive the following error message:

Unable to browse the selected domain because the following error occurred: Access is denied.

CAUSE

This issue occurs when a Windows NT 4.0-based system attempts or enumerate the list of users from a Windows 2000-based domain. Windows NT 4.0 first attempts to connect to the Windows 2000-based domain controller with the account used to log on to the Windows NT 4.0-based system. If this account is not a member of the Windows 2000-based domain or trusted domain, the connection does not succeed. Windows NT 4.0 then tries a null connection, and this also does not succeed.

This is expected behavior if, when you promote the Windows 2000-based domain controller, you specify the following option during the Dcpromo process:

Permissions compatible only with Windows 2000 servers

Select this option if you run server programs only on Windows 2000 servers that are members of Windows 2000 domains. Only authenticated users can read information on this domain.


RESOLUTION

To resolve this issue, add the Everyone group to the "Pre-Windows 2000 Compatible Access" group on the Windows 2000-based domain controller, and then reboot the domain controller.

To make the change, run the following command from a command prompt. Run the command as specified, including the quotation marks. The quotation marks are necessary because the target group name contains spaces.

To add the Everyone group:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add


For additional information about this group and its functionality, please see the following article in the Microsoft Knowledge Base:

257988 Description of Dcpromo Permissions Choices


MORE INFORMATION

NOTE: You have to make sure that you reboot all the domain controllers after adding the everyone group in the "Pre-Windows 2000 Compatible Access" otherwise it will not take affect. Also remember that if you only reboot the DC that you do it on, only that DC will be affected unless you also reboot rest of the DCs in the domain.

Keywords: kbenv kberrmsg kbprb KB257942



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/257942&oldid=378429
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki