Littlelegs 2007-02-24 22:30:24
What (if any) groups should be in the Pre-Windows 2000 group as part of
completing the retirement of an NT4 domain? The servers are all 2003.
We looked at removing the Everyone group from Pre-Windows 2000 and it caused
the Group Policy processing to abort.
The functional level has not been raised yet because there are still NT4
SID’s on one file server which will be translated over the next few months. I
just want to be prepared for the end tasks to fully complete the migration.
V-xuwen@online 2007-02-24 22:30:31
If you select the “Permissions compatible with pre-Windows 2000 servers
operating systems” option during the DCPromo process when you create a
domain, the “Everyone” group is added into the “Pre-Windows 2000 Compatible
Access “group. If the “Permissions compatible only with Windows 2000 or
Windows Server 2003 operating systems” is selected, the “Everyone” group
will not be added into the “Pre-Windows 2000 Compatibility Access” group.
The effect of nesting the Everyone group is to either allow or disallow
anonymous (null) connections. Microsoft Windows NT 4.0 clients use null
connections to perform various actions. Without the Everyone group nested,
certain Windows NT 4.0 null credential actions do not work.
If the the option you choose during Dcpromo is not the option you want to
use later, you can reverse it. To reverse the choice, either add or remove
the Everyone group from the built-in Pre-Windows 2000 Compatible Access
group. You cannot perform this action by using the Active Directory Users
and Computers snap-in.
To make the change, run one of the following commands from a command
prompt. Run the commands as specified, including the quotation marks. The
quotation marks are necessary because the target group name contains spaces.
To add the Everyone group:
net localgroup “Pre-Windows 2000 Compatible Access” everyone /add
To remove the Everyone group:
net localgroup “Pre-Windows 2000 Compatible Access” everyone /delete
NOTE:You have to make sure that you reboot all the domain controllers after
adding or removing the everyone group in the “Pre-Windows 2000 Compatible
Access” otherwise it will not take affect. Also remember that if you only
reboot the DC that you do it on, only that DC will be affected unless you
also reboot rest of the DCs in the domain.
Microsoft Online Partner Support
Get Secure! – www.microsoft.com/security
When responding to posts, please “Reply to Group” via your newsreader so
may learn and benefit from this issue.
This posting is provided “AS IS” with no warranties,and confers no rights.