You cannot connect to a Windows Server 2003 Active Directory domain that has been upgraded from Windows 2000 Active Directory (890757)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition

SYMPTOMS

You cannot connect to a Microsoft Windows Server 2003 Active Directory domain that has been upgraded from Microsoft Windows 2000 Active Directory by using the Active Directory Service Interfaces (ADSI) WinNT provider.

Notes
  • This problem only occurs when you try to connect to a built-in container in Active Directory, such as the Pre-Windows 2000 Compatible Access group.
  • This problem does not occur if you try to connect to a domain where Windows Server 2003 Active Directory was a new installation.

CAUSE

This problem occurs because of the following difference in permissions:
  • On a domain where Windows Server 2003 Active Directory has been upgraded from Windows 2000 Active Directory, the Pre-Windows 2000 Compatible Access group has the Read Permissions permission only.
  • On a domain where Windows Server 2003 Active Directory was a new installation, the Pre-Windows 2000 Compatible Access group has the Read Permissions permission and the Read all Properties permission.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

WORKAROUND

To work around this problem, add the ANONYMOUS LOGON group to the Pre-Windows 2000 Compatible Access group, and then grant the Pre-Windows 2000 Compatible Access group the Read all Properties permission on the built-in container.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was corrected in Windows Server 2003 Service Pack 1 (SP1).

REFERENCES

For more information about permissions and group membership changes in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

278259 Everyone group does not include anonymous security identifier

Modification Type:MajorLast Reviewed:7/25/2005
Keywords:kbQFE kbfix KB890757 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.