Description of Dcpromo Permissions Choices (257988)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q257988

SUMMARY

When you run Dcpromo.exe to promote a Windows 2000-based server to a domain controller, a dialog box appears prompting you for a permissions preference. This article describes the available options and the reversal of these choices.

MORE INFORMATION

During the Dcpromo process, the following dialog box appears:

Permissions

Some server programs, such as Windows NT Remote Access Service, read information stored on domain controllers.

--> Permissions compatible with pre-Windows 2000 servers
Select this option if you run server programs on pre-Windows 2000 servers or on Windows 2000 servers that are members of pre-Windows 2000 domains.

Anonymous users can read information on this domain.

--> Permissions compatible only with Windows 2000 servers
Select this option if you run server programs only on Windows 2000 servers that are members of Windows 2000 domains. Only authenticated users can read information on this domain.

No matter which option you choose, the built-in Pre-Windows 2000 Compatible Access group is added in the access control lists (ACLs) and user rights throughout Active Directory and the domain controller. However, with the first option, permissions compatible with pre-Windows 2000-based servers are selected, and the Everyone group is nested in the Pre-Windows 2000 Compatible Access group. If you choose the second option, the Everyone group is not nested.

The effect of nesting the Everyone group is to either allow or disallow anonymous (null) connections. Microsoft Windows NT 4.0 clients use null connections to perform various actions. Without the Everyone group nested, certain Windows NT 4.0 null credential actions do not work.

If the the option you choose during Dcpromo is not the option you want to use later, you can reverse it. To reverse the choice, either add or remove the Everyone group from the built-in Pre-Windows 2000 Compatible Access group. You cannot perform this action by using the Active Directory Users and Computers snap-in.

To make the change, run one of the following commands from a command prompt. Run the commands as specified, including the quotation marks. The quotation marks are necessary because the target group name contains spaces.

To add the Everyone group:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add

To remove the Everyone group:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /delete

There are several known issues arising from selecting one choice instead of the other. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

240855 Using Windows NT 4.0 RAS Servers in a Windows 2000 Domain



NOTE:You have to make sure that you reboot all the domain controllers after adding or removing the everyone group in the "Pre-Windows 2000 Compatible Access" otherwise it will not take affect. Also remember that if you only reboot the DC that you do it on, only that DC will be affected unless you also reboot rest of the DCs in the domain.
Modification Type:MajorLast Reviewed:1/13/2005
Keywords:kbDCPromo kbenv kbinfo KB257988
©2004 Microsoft Corporation. All rights reserved.